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il [SUBJECT OF THE INVENTION] 

^£E^;{cio(t-5 / fit^M'f"-5'ff The existence of the correctness of a 

%k£Mbi~Z. „ ^^rX<D cryptogram can be shown without leaking the 

E^ttco^fM^r^i"^. kti*X*% information about the value in a verification 

5» type. 

[#fe¥&J [PROBLEM TO BE SOLVED] 

p q fi p — 1 It considers it as the big prime number among 

SrW <9 ty%>X% teMWb G which p gives a clear-cut solution to a big prime 

q <Djt g 1 , g 2 ^rffig^jiiR number, and q gives p-1, and chooses the origin 

U X=gl x1 g2 ^mod p , g1 and g2 of Gq as desired, let X=g1 x1 g2 x2 mod 

Y = g l y1 g 2 y2 modp, Z = g p, Ysgl^^modp, Z=g1 2 mod p be the 

l z mod p ^Bf-^Htfcfflv^^ public key which it uses for encryption, let 

Mtt£L.« (xl, x2, yl, (x1,x2,y1,y2,2)(elementof)Zq 5 be a secret key, 

y 2, z) eZq 5 $:i^ii: it receives cryptogram E= (u1, u2, v, e) of 

U ¥Xm<D$%-%XE = ( u 1 , Plaintext m. 

u2, v , e ) Srgft L (SI), (S1), it forms a random number r. 

SURr££f£L- (S 2h c=H (S2), c=H (u1, u2), v= (calculating 

( u 1 , u2),V=(ul x1+cy1 u1 x1+cy1 u2 x2+cy2 v- 1 ) r mod p) 

u 2 x2+cy2 v 1 ) r mod p Srfr^ (S3), if it is V= 1 , it decodes a cryptogram as a 

L (S3), V = 1 &£>B£-£}-;x:£t pass, if it is a rejection, it proves that it is a 

-a-l&ir LT^-^-L. ^F-a^ft^b rejection by zero knowledge proof, without 

0 > r , x 1 , leaking a function secret to r, x1 , x2, y1 , and y2. 
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x 2, y 1, y 2£Hft&ft& 




02 

51 Cryptogram reception 

52 Random-number r generation 

55 Decoding calculation 

56 Zero knowledge proof 



[*mffl|3ft©*5ffll [CLAIMS] 

1 1 [CLAIM 1] 

Sfs LfcBf-^^C^jE^fcf^?) A cryptogram verification method, in which in 

titch<DT:&>Z) r 1 4\ ^SE^; the cryptogram verification method which it 

©Ipfta* 1 izfc >5 r t £rfltf8i~<5 verifies by checking that the cryptogram which 

r t i o TtfefEi"5 Bf-^^:^ received is made justly, and that the value of a 

fjE^&tC&l^T^ verification type is set to 1, it forms a random 

SUBtr $r4s)cL, ^^O^IE^; number r, it verifies a cryptogram by checking 
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(D\$y £ r ^ LfciUtf 1 M&<5 whether the value which squared the value V of 

frl^fr&WM-t <5 £ J: o T an original verification type r is set to 1. 

[tm*K2] [CLAIM 2] 

p q£rp — 1 A cryptogram verification method, in which 

tel^v) ty&X^z ftMWb L> G considering it as the big prime number which 

q fi^fepZ p * (D#lMl q (D%H gives a clear-cut solution for p to a big prime 

#S££^"t~t>£>£ U g 1, g number, and gives a clear-cut solution for q to 

2 fi, g 1 %&h-tZ> g 2 ©i p-1, Gq shall express the partial group of the 

ffc^&;S^£q~efo5G q <D%t digit q of multiplicative-group Zp\ 

U.H^r^ffl/N ^ v^^L^^t U x G1 and g2 carry out g1 the origin of Gq with a 

(xl, x2, yl, y 2, z) discrete unknown logarithm of g2 which it uses 

£Zq 5 £r$J£g$i , X = g 1 x1 as a bottom, let H be a general purpose hash 

g 2 x2 mod p, Y=gl y1 g2 function, it is a secret key about 

^mod p, Z = gl z mod pft (x1,x2,y1,y2,z)(element of)Zq 5 , x=g1 x1 g2 x2 mod 

5 (X, Y, Z) «:4*H*£U P,y=g1 y1 g2 y2 modp 

^m^-f SBff^Ettc £ Let Z=g1 z mod p be public key (X, Y, Z), the 

H ( u 1 , u 2 ) mod q t LX cryptogram E with respect to Plaintext m 

u 1 = g 1 r mod p , u 2 = g C, as H(u1,u2)mod q 

2 r mod p, v=X r Y cr mod p Becomes u1=g1 r mod p, u2=g2 r mod p, and 

*5EoH* (u 1, u 2, v) v=X r Y cr mod p. 

&i£tt$m-%fefc$5\f">X* In the cryptographic method containing 3 sets 

tS-^#^fgfis %M r L % (u1, u2, v), a decoding person apparatus forms 

c =H (u 1 , u 2) mod q $r a random number r, it calculates c=H(u1, u2) 

fHffl^ modq, 

V = ( u l x1+cy1 u2 x2+cy2 v" 1 ) r V= (calculating u1 x1 ^ y1 u2 x2 ^ 1 ) r mod p) 

mod p Srff- 3? V ^ 1 (c^ L It verifies the correctness of a cryptogram, when 

V ^ t SrflfciB-f - 5 r £ (C <£ o T V checks that it is equal to 1 . 

Bf#itOjEattSrttiE-r 5 r. 
«:W»i:i-*l»«*liE*jfeo 

[ff#«3] [CLAIM 3] 

2 0OBt-^^C^IiE^rfe{c In the cryptogram verification method of Claim 
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*dV>T, V/O* 1 (C^L< fcV*4§ 2, when V is not equal to 1, to the random 

number r which has V to a third person using 

^■^m.^^X^E.^KV zero knowledge proof (it proves that it is the 

# *> 5 SL& r (C*f L T (ul result of calculating like u^**^* 2 * 5 ^- 1 )' mod 

x1 + cy1 u 2X 2 + cy2 v -1 ) r mQd p ^ p ) 

J: 5 Kltf3£ Ltc%£!gX'&2>c\ i: The cryptogram verification method 

SrSEWI" -5 n £ <b Bf characterized by the above-mentioned. 

[MT&S4] [CLAIM 4] 

p£r;*;#&^^ qSrp— 1 A cryptogram verification method, which 

ZI^Wty&X^teMWk G considers it as the big prime number which 

q fi^feS£ Z p <D#LWi q gives a clear-cut solution for p to a big prime 

&$:i&.~f'h<Db L x gl, g2 number, and gives a clear-cut solution for q to 

£rGqGD7c<t L> H^rtdffl^^y p-1. 9d shall express the partial group of the 

Y =l Blifc t L digit q of multiplicative group Zp. 

n A(DlM^r% £r P 1 ~ P n <!: It carries out g1 and g2 the origin of Gq, let H be 

U i &^-^#P j lifS^Oteffl a general purpose hash function, it sets n 

fitw j &Wh^ persons' decoding person to P1-Pn, each 

( x 1 , x 2 , y 1 , y 2, z) decoding person Pj has the inherent open value 

€=Zq 5 £3t<n Zmtz-f t wj, 0c1,x2 l y1 l y2,z) 

£ VMH t ©WtfeCJ;?) # Let the secret value (x1 j, x2 j, y1 j, y2 j, zj) 

WtLX%bfriZ>, W. w j izttfo corresponding to a value wj acquired by 

-f&Wi&iU (x 1 j , x 2 j , dispersing (element of)Zq 5 with the secret 

y 1 j , y 2 j , z j ) £rtg7§- dispersion method of threshold-value t which 

#P j (DU&mt U fills 3 t<n be the decoding person's Pj secret 

Xj=gl x1j g2 x2i mod p , key, letXj=g1 x1j g2 x2j mod p, Yj=g1 y1j g2 y2j mod p, 

Y j = g 1 y1j g 2 y2j mod p , and Zj=g1^mod p be the decoding person's Pj 
Z j = g 1 zj mod p &3 (X j , public key (Xj, Yj, Zj), 

Y j , Z j ) £&-^rP j <D& 

mmt u 

^©flTW^IilHJfcfi* A safe communication channel shall be 

&iiff S&^&S h<0 1 $.tz^ between each decoding person apparatus. 

^IS-^f^iltex 4tL<D-£.lk<D'lS. Moreover, that each decoding person apparatus 

■*MflS£gj& s lRi— tf>l*i3££3£f§ "t" receives the content with all the members' same 
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5 £ £ ^{SrfiE^tLS^^Miifi' other decoding person apparatus shall utilize 

i&2rf'Jffl~C# <5 the broadcast type communication channel 

a»rGZq«rL#^fflt©S guaranteed. 

fl&^tfcfefcj: !J#1ftLT#S>*L The decoding person Pj shall maintain the 

<5> ffiw j (C^j£^3^frfilL r secret value rj corresponding to a value wj 

j £:tg-^lfP j Jii£jrH~<5£><D acquired by dispersing random-number 

t L N r(element of)Zq with the secret dispersion 

E = ( u 1 , u 2 , v, e) £\ method of threshold-value t. 

X=g l x1 g 2 x2 mod p, Y= Let E= (ut, u2, v, e) be the cryptogram of 

gl y1 g2 y2 mod p, Z = gl z plaintext m which used X=g1 x1 g2 x2 mod p, 

mod p Ztem^t Ltc¥-JCm Y=g1 y1 g2 y2 mod p, and Z=g1 2 mod p as public 

(D^^-JckL, ZELV>fJ£-S§-:£fi key, when the correct cryptogram satisfies 

ul = gl r mod p , u2 = g u1=g1 r mod p, u2=g2 r mod p, c=H (u1, u2), v=X r 

2 r mod p , c = H ( u 1 , u Y^mod p, and e=mZ r mod p, the apparatus of 

2), v=X r Y cr mod p, e= each decoding person Pj who received E 

mZ r mod p SrJSJBi" 5 t calculates c=H (u1, u2), 

Bfi. c =H (u 1, u 2) £ 

V j = ( u 1 x1 ^ 1j u 2 v Vj= (calculating u1 x1j+cy1j u2 x2 ^ cy2j V 1 ) rj mod p) 

" 1 ) d mod p £rfH"JS It transmits the secret value Vjk corresponding 

V j £r L# vMMl t 2 t J^T to a value wk acquired by dispersing Vj with t or 
<D&W»I$ffi&&ftWlfefc£ more threshold values and a verifiable secret 
StLT?#£>;ft£. ffiw k \Z.%Sfo dispersion method 2t or less through a 
i~5®WrHf[V j k $r#^^*#P communication channel safe for each decoding 
k©^g{c^^ftiift&Sr^L person's Pk apparatus, the apparatus of the 
T^fSL, decoding person Pk who received Vjk from all 
ftiLW£T©tg^<h^fi#>£>V j other decoding person apparatus transmits Vk 
k SrStfi? Lfc^-PMfP k (D^g to all other decoding person apparatus 
f3u ^^^iiif^f-ct 9 ^ Vk according to a broadcast type communication 
&ttL<D±X(D'iM-%r%BW^i£it channel, the apparatus of each decoding 

person Pj who received Vk transmits 

V k £r:g{f Lfc^^-SMf P j <D corresponding Vkj to all other decoding person 
^gfi^Jft^S V k j telifcj&Q apparatus according to a broadcast type 
ii^KtJ:9fl&©^r©SW communication channel, it verifies that each 
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^tt^j£{|§L, #tI-£Nf$?tiifi decoding person apparatus is each value with 

#Vk &JE L WST*&<5 r t £ correct Vk using all Vkj(s) that received, 

Ltc±X <DV k j £ffiv^ 

lEL^^klfeW&titcV k©H If correct, it will choose 2t+1 piece among 

2 t + 1 m SriiiR U checked Vk(s), it examines whether the value V 

^fi"5S^^7c¥JilI(c J: *)'4Ljt decompressed with the secret decompression 

LfcfttV^ i LV^vg^^r procedure with respect to an index part is equal 

W^, t£\t^t£b\i{&(D2 to 1, if not equal, it repeats a secret 

t + 1 §&<D%iZt- J &fc> J \kX¥\WiZ- decompression procedure similarly in other 

ffi&'&jc^M&Wi'O ML, -£.X 2t+1 piece combination, about all combination, 

(Z^fl^^friirfcio^-Ov-f tbt> if the decompression value is not all equal to 1, 

'&7ti\lLft % 1 (C^r L < fel^tt: h it will judge that the cryptogram is irregular, if 

fcf , ^<£>R£ -^St^FjE £ ¥IJ£ U there is combination set to 1 at least one, it will 

— o-C & 1 (C 5 1?*^ judge that the cryptogram is correct. 

L V > <b W^-f 5 r <b <b -r 

[11*^5] [CLAIM 5] 

ff^^4<DBf-^;£#&tiE;frfetc A cryptogram verification method, in which in 

53 V n X N the cryptogram verification method of Claim 4, if 

ifEBf-^t^lELV^^iJ^tL judged with the above-mentioned cryptogram 

5 £ > being correct, let w be n root of 1 in mod q, each 

w£r mod q "CO 1 <D n^tf&b decoding person apparatus makes wj w*" 1 mod 

L, ^^-^Mf^igte. w j £rw q, it considers it as the eigenvalue of public 

H mod qtL, 1< j <nfdio presentation of wj which fills wj!=1 in 1<j<n, 

^tw j ¥=1 £ffitc-f£. o few each decoding person's Pj apparatus calculates 

j ^^^(OWi^iW-t L, Dj=u1 2j mod p, it transmits to all other decoding 

^^^Mf P j <£>§£il{iD j = u person apparatus according to a broadcast type 

1 zi mod p £r ff3> U> ^Co^^ii communication channel, it checks that the 

If Kt«k 9i©it©tf-ti discrete logarithm which uses as a bottom u1 

fi^i£fjf U Sff Ufc (D 1 , which received (D1..., Dn) is the coding word of 

Dn) <Dul&&k1rZ>m aBCHcode. 

wmm> b c nn%-<D = - k ? 
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zwrnb-tz^xmu* 

[ff^6] [CLAIM 6] 

p£r;*:#&^fc. q£rp — 1 A cryptogram verification method, which 

teWlVtyZX^te^^fct U G considers it as the big prime number which 

q (ilfeiZ p* (D^L^Cq <Dgfl gives a clear-cut solution for p to a big prime 

:fti¥£r3g~t~t>£>£ g 1 , g number, and gives a clear-cut solution for q to 

2 Ji, g 1 £rj££i~S g 2 p-1, gq shall express the partial group of the 

tfc*t$tf s 7(c£n X 5 G q <DtE ir digit q of multiplicative-group Zp* . 

l^H^rftLffl/^ -*>^IS3&<!: G1 and g2 carry out g1 the origin of Gq with a 

( x 1 , x2, y 1 , y 2, z) discrete unknown logarithm of g2 which it uses 

g Z q 5 £r$B$S5£t^ X = g 1 x1 as a bottom, let H be a general purpose hash 

g 2 x2 mod p, Y=gl y1 g2 function, (x1,x2,y1,y2,z) 

^mod p, Z = gl z mod p& Let a secret key, X=g1 x1 g2 x2 mod p, 

5 (X, Y, Z) &&mmt U Y=g1 y1 g2 y2 mod p, and Z=g1 z mod p be public 

¥JCm[£tt1r&V&&XElic £ key for (element of)Zq 5 (X, Y, Z), the 

H (ul, u 2 ) mod qti^X cryptogram E with respect to Plaintext m 

ul = gl r mod p , u 2 = g Making c into H(u1,u2)mod q. 

2 r mod p, v =X r Y^mod p U1=g1 r mod p, u2=g2 r mod p, it becomes v=X r 

455oH*(ul, u2, v) Y cr modp. 

£^tpR£##i£{c33l^"C\ In the cryptographic method containing 3 sets 

&^%3kWii, QMt r 3r£$c b> (u1, u2, v), a decoding person apparatus forms 

x 1 ' = x 1 • r mod q , x a random number r, it calculates x1-x1 and 

2 ' = x 2 • r mod q , y 1 ' rmod q, x2-x2 and rmod q, y1'=y1 and rmod q, 

= y 1 • r mod q , y 2 ' = y and y2-y2 and rmod q, 
2 • rmod q SrfHSL* 

Sff LtzV^^rX^hs c =H(u From the cryptogram which received, it 

1, u2) mod q£rfH¥L, V calculates c=H(u1, u2) mod q, it calculates 

= ul x1,+cyV u2 xZ+cyZ v- r mod V =u1 x1 ' +cyr u2 x2 ' +cy2 V r mod p, it verifies the 

p £rff*3¥l^ 1 M^LV^r correctness of a cryptogram, when V checks 

t £r«ftiB1"5 r. t J: o X Bf# that it is equal to 1 . 

xoiE^&zmm-f 5 r * 
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[If 7 ] [CLAIM 7] 

If ©Bt-^-^t^U^'feC: A cryptogram verification method, in which in 

*3V^T % the cryptogram verification method of Claim 6, 

Vri* 1 }c^L< ftv^SH^cu ^ when V is not equal to 1, as for a decoding 

-^•#§£fifi (X, Y, V) t)5, person apparatus, (X, Y, V), receive that it is 

fc5 (xl, x2, yl, y2, (x1 , x2, y1 , y2, r). 

r ) (c M L T X = g 1 x1 g 2 It zero-knowledge-proves satisfying 

x2 mod p, Y=g l^g 2 y2 mod X=g1 x1 g2 x2 mod-p,Y=g1 y1 g2 y2 mod-p,V=u1 x1r+<:y1r 

p , V = u 1 x1r+cy1r u 2 x2r+cy2r u2 x2r+cy2r v r mod p. 

v" r mod p &W§fiLi-£ ^ £ Sr^ Using this, it proves to a verification person, 

fcHMEW V ( x 1 , x 2 , making secret (x1 , x2, y1 , y2). 

y 1, y 2) Ltc&t. 

[Hf&^8] [CLAIM 8] 

ff^^T (DBf^-^C^IjE^fet-i A cryptogram verification method, in which in 

33 V the cryptogram verification method of Claim 7, g 

g , hlig £rJ& if^h <7)$tt5: and h are under Gq whose discrete logarithm of 

M'&fi^ftiX-h&i.jtiiG q(D . h which uses g as a bottom is unknown, 

TC'CfcoT, comprised such that a decoding person 

^-^HfSsflli, r , a 1 , apparatus forms random numbers r, a1, a2, b1, 

a 2, b 1, b 2££/?)cU and b2, it exhibits R,RX1,RX2,RY1,RY2 used 

R = g r h a mod p,RXl=R as R=g r h a mod 

x1 h a1 mod p, RX2=R x2 h p,RX1=R x1 h a1 mod-p,RX2=R x2 h a2 mod-p,RY1=R y 

a2 mod p, RYl=R y1 h 1 h b1 mod-p,RY2=R y2 h b2 mod p, 
b1 mod p, RY2=R y2 h 
b2 mod p45R, RX1, RX 
2, RY1, RY2ST&MU 

(X, Y, V, R, RX1, R To (Xl,x2,y1,y2,r,a,a1,a2,b1,b2) with 

X2, RY1, RY2) (X,Y,V,R,RX1,RX2,RY1,RY2),x=g1 x1 g2 x2 modp, 

(xl, x2, yl, y2, r, y=g1 y1 g2 y2 mod p, v =u1 x1r+cy1r U 2 x2r+cy2r 

a, a 1, a 2, b 1, b2) v^mod p, r=g r h a mod p, RX1=R x1 h a1 mod p, 

IdfcrLT. X=g l x1 g 2 x2 mod RX2=R x2 h a2 mod p, RY1=R y1 h b1 mod p, 
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P , Y=gl y1 g2 ^mod p , RY2=R y2 h b2 mod p 

V = u 1 x1r+cy1r u 2 x2r+cy2r It proves filling the relation used as this by zero 

v " r mod p , R = g r h a mod knowledge proof. 

p, RX 1 =R x1 h a1 mod p, 

RX2=R x2 h a2 mod p, RY 

1 =R y1 h b1 mod p, RY2 = 

R^h^mod pte&mttm 



[H*«9] [CLAIM 9] 

ft^3g6(DBt-§*^t^||E^&(c: A cryptogram verification method, in which in 

io V > X > the cryptogram verification method of Claim 6, it 

n A ©IMtM? & P 1 ~ P n t sets n persons' decoding person to P1-Pn, let w 

L s be n root of 1 in mod q, it makes wj into w 1 " 1 mod 

w^r mod q X<D 1 (Dn^ktikb q, in 1<j<n, it shall fill wj!=1. 

w j ^rw*" 1 mod qtU 1 It assigns each decoding person Pj a value wj, 

< j < n {z3o]/^Xw j ^ 1 Sri® let the decoding person's Pj secret key (x1 j, x2 

tcir i>(Dbl,^ 4rti[7Hf P j \Z j, y 1 j, y2 j, zj) be the secret value corresponding 

{% w j £r#J 9 =5 X\ to a value wj acquired by dispersing (x1 , x2, y1 , 

tl^Nf P j tf>§£?£3Si (x 1 j , y2, z) with the secret dispersion method of 

x2j, ylj, y 2 j, zj) threshold-value t which satisfies 3 t<n, 
tt, 3 t <nSrStfc"TU#V^ 

to»tfeia^) (x i, 

x 2 , yl, y 2 , z ) Sr^ffc 

Xj=gl x1j g2 x2j mod p , Let Xj=g1 x1 ' g2 x2j mod p, Yj=g1 y1j g2 y2j mod p, 

Y j = g 1 y1j g 2^ mod p , and Zj=g1 2j mod p be the decoding person's Pj 
Z j = g l Zj mod p&5 (X j , public key (Xj, Yj, Zj), a safe communication 

Y j , Z j ) ^t^t^P j <D<& channel shall be between each decoding 

U person apparatus. 

©t^^SefifWfCKJu Moreover, that each decoding person apparatus 

ftilff h<Db L^tc. receives the content with all the members' same 
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#t6-^#2£fifi* ttl<D^kM>(DjM other decoding person apparatus shall utilize 

-^#i£{S/5*|pJ— ^ft^^Sfirt' the broadcast type communication channel 

# 5 {£jaE $ ft 5 ^i^Milft guaranteed. 

S&?:fOT"C^ 5 ^>^)<t L, The decoding person Pj shall maintain the 

1AM r e Z q L#vMlS t <7>3& secret value rj corresponding to a value wj 

^#tfc&fcJ: 9#tfcLT#k;ft/ acquired by dispersing random-number 

5^ fitw j (C^j*j^"t"5^^ > fit r r(element of)Zq with the secret dispersion 

j SrH##P j f±^j#-f~3k© method of threshold-value t. 

£ Each decoding person's Pj apparatus calculates 

^tlT? #P j (D^MH. r • x and maintains secret value x1j' corresponding 

1, r • x 2 , r • y 1 , r • to a value wj obtained by each dispersing r-xt, 

y 2 Sr-tix-^ftL^vHtt t <D& r-x2, r-y1, and r-y2 with the secret dispersion 

^#fu£f-cfc VftWtLX'&btl method of threshold-value t, x2j\ y1j\ and y2j' 

5^ fitw j (c*fjc£:i"S®?6ttx by the distributed multiplying method, 

1 j' , x2 j' , y 1 j' , 
y 2 j' ^MSStaot 

Bf^^SrSft Ltc^r^M-^r^ P j The apparatus of each decoding person Pj who 

(O^Wi, c=H (ul, u2) received the cryptogram calculates c=H (u1, 

SrtF* U V j = u 1 x1 ^ u u2), it calculates Vj^ul^^^^V^mod p, 

2 x2f+cy2f y -n mod p^ff-^L^ according to a broadcast type communication 
^i£MiIfil8&i£c£ V j £rfi!l channel, it transmits Vj to all other decoding 
(D&X<DlM^%<&\8L^T£tnls, person apparatus, it checks that the index part 

(VI, — , Vn) (D^WW of (VI.., Vn) is the coding word of a BCH code, 

B CHffi-%r(D^— K17— K~C$> it verifies the correctness of a cryptogram by 

& ^ t checking that the value V decompressed with 

Js^flfc^H" '58&3£1S7c¥HR£ the secret decompression procedure with 

cfc 9 Hx; LfdiVri* 1 fcS? LV^ respect to an index part is equal to 1. 

[ffsfc® 1 0 1 [CLAIM 10] 

If (DVfe^XtikjUEjjfeltZ A cryptogram verification method, in which in 

the cryptogram verification method of Claim 9, it 
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L#vM«it£:2t<n %Wci~ shall fill 2 t<n for threshold-value t. 

U (VI, — f Vn) <D Insteadof checking that the index part of (V1... f 

tgWBCH^3^ K7 Vn) is the coding word of a BCH code, each 

-FtfcSIi: £rflfe§H~5ft;b decoding person's Pj apparatus 

0 P j ©3£fi#\ Without Vj leaks the information concerning that 

Vj^ul x1/+cy1f u 2 x2f+cy2f v- fj it is the correct calculation result of 

mod ptf>:ELl^#*£m-Cfc ul^'u?^/ 1 mod p, and ] 

3^<t£rxlj' , x 2 j ' , x1j',x2j',y1j',y2j',rj, it proves to another decoding 

ylj', y 2 j ' , rjicil person apparatus by zero knowledge proof, it 

$ft£rif £>~f^ <t ft < > ^ spedfies the decoding person Pj in whom zero 

^Pf^HE^tc ckottC^tS knowledge proof failed as a deviation person, 

fl^IE^ L N another decoding person apparatus 

^^Pf^HEPJ^^I^Ufc^-^^P decompresses a deviation person's secret 

j LT#^t, j&Jft value x1j', x2j', ylj 1 , y2j\ and rj using a secret 

#<Dg$Htx 1 j 7 , x 2 j ' , value recovery procedure, 
y l j ' , y 2 j ' , r j Srflfc 

1 1 J [CLAIM 11] 

ff 9 OBt^fc^fEfrfef:: In the cryptogram verification method of Claim 

&V>T. 9, when (V1..., Vn) are not the coding words of 

(V 1 , — , V n) ^BCHi a BCH code, it proves each decoding person's 

-^(^n— K!7— KT*/£^f ^ Pj apparatus to another decoding person 

M> ^MX^M^P j O^itte:. V apparatus by zero knowledge proof, without 

j^ul x1/+cy1f u 2 v leaking the information concerning [ that Vj is 

mod p©fr**S*-CS>3££ the calculation result of u 1 x1J+cy1jr u2 x2f+cy2r V ,j 

£r x 1 j ' , x 2 j 7 , y 1 mod p, and ] x1j\ x2j', y1j', y2j\ and rj, it 

j 7 , y 2 j ' , r j {::§!i~§ specifies the apparatus of the decoding person 

WWi^Mh't^- tt£<, Pj who failed in proof with a deviation person's 

fEIHMcfc oT^©tg^#3£g{:i apparatus, another decoding person apparatus 

HEK U> decompresses secret value x1j' of a deviation 

P j <D^W&&$$l%<D^W 1 %f person's apparatus, x2j\ y1j', y2j', and rj using a 

J£ U ifyft#©81S©3IMS&fiS x secret value recovery procedure. 

Ij',x2j / ,ylj / , The cryptogram verification method 
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y 2 j ' , r j £\ ftfL£>H-£Hf characterized by the above-mentioned. 

XEBECS* 

[f»*3gl 2] [CLAIM 12] 

ff^^9©^^;fc^fE£ife{c A cryptogram verification method, in which in 

feV^T, the cryptogram verification method of Claim 9, 

±ti^7uLtcWV^ 1 (d^LV^ when the above-mentioned value V which 

ilHHC* ^Mg-SMf P j (D^gfi decompressed is equal to 1, each decoding 

D j = u l zj mod p £rff-3¥ U person's Pj apparatus calculates Dj=u1 ZJ mod p, 

£fo£MiiffE&fC<fc VjtiL(D±X(D it transmits to all other decoding person 

^-^^^il^^fiLx apparatus according to a broadcast type 

SffLfc (Dl, — , Dn) O communication channel, it checks that the 

u 1 &&bi-&MWtft%l&BC discrete logarithm which uses as a bottom u1 

Hlf^n^ KI7— K-efe5 r which received (D1..„ Dn) is the coding word of 

h&mfrtZZk&ftWlki-Z aBCHcode. 



[fl*9(l 3] [CLAIM 13] 

W^ 3 ! 1 0 ^OffH^^^fE^^ A cryptogram verification method, in which in 

{cioV>T, the cryptogram verification method of Claim 10, 

&7cLtcWVffi 1 fc^LV^SM^ in each decoding person's Pj apparatus, the 

^g-^tP j (D^MfiD j decompressed value V calculates Dj=u1* j mod 

= u 1 ^mod p Srft^L Dj p, when equal to 1, dj is the correct calculation 

&lEL^$t$ttg%:T?3bZ>Zk$: result. 

z j £|g-f 5if#£ri(lSbi~w £ Without it leaks the information about zj, it 

#^OfttE^{c:J:oTflii(D proves to another decoding person by zero 

^^#(c|E^U> knowledge proof, it specifies the decoding 

£fl!&iiEl^ {c£$C LtcM^r^ P person Pj who failed in zero knowledge proof as 

j ^W&Mk LXffifeLs a deviation person, another decoding person 

#<D%!>^iM z j Srfl&tf^^M^e apparatus decompresses a deviation person's 

g^^^ffilHl^^JiilrfflV^T^ secret value zj using a secret value recovery 

TC't&Zk&fiWLk-r&ftiqrX procedure. 
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[fflfjftg 1 4 J [CLAIM 14] 

IMt® 1 2Xfil 3 <7>B#-^^t A cryptogram verification method, in which in 

^fE^fetC&l^"^ the cryptogram verification method of Claim 12 

£^#3£fifijEl^ (D 1, or 13, from it being correct (D1..., Dn), each 

— , Dn) frb^ decoding person apparatus decompresses 

u 1 £riEi:i~<5jf %£%$ttCMi~& D=u1 z mod p with the secret decompression 

$5?f5tfi7c¥JI|Stei i 9 D = u 1 2 procedure with respect to the index part which 

mod p $r^7c L % uses u1 as a bottom, calculates m=e/Dmod p, 

m = e / D mod p £r ff-JJ t T and decodes Plaintext m. 

[ff^l 5] [CLAIM 15] 

P £r>c$&^& q $r p - 1 It considers it as the big prime number which 

£WlVtyZ>±%t£$l$kb U G gives a clear-cut solution for p to a big prime 

q fi^$xl£Z p (DftiMtv OWti number, and gives a clear-cut solution for q to 

^^^^^(Dt gl, g 2 p-1, gq shall express the partial group of the 

Sr G p <D% t H £r#Ufj/^ s> digit p of multiplicative group Zp. 

v^HI^i: l> X=gl x1 g2 It carries out g1 and g2 the origin of Gp, let H be 

x2 mod p, Y=g l y1 g2 y2 mod a general purpose hash function, let 

p , Z = g 1 z mod p £Rf X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 modp, and Z=g1 2 

¥WS^ffiV^5^BMi^ U (x mod p be the public key which it uses for an 

1, x2, y 1, y2, z ) <= encryption procedure, (x1, x2, y1, y2, z) It 

Zq 5 i:U ¥^Cm(C*t-f 5^ considers it as (element of)Zq 5 , the cryptogram 

-*§\£ Efic^rH (ul, a2) E with respect to Plaintext m 

mod pi:Ltul = gl r mod It is considering c as H(u1, u2) modp. 

p , u 2 = g 2 r mod p , v = The 3 sets (u1, u2, v) used as u1=g1 r mod 

X r Y cr mod p^5Zofi*(u p,u2=g2 r mod p,v=X r Y CT mod p are included, 

1 , u 2 , v ) Sra 3k processing which forms a random number r, 

SLifc r ££$^<5&tfSl£ x processing which receives Cryptogram E, 

Rf-^lfcE SrSfS ^"5^a<t . processing which calculates c=H(u1, u2) mod q, 
c = H ( u 1 , u 2 ) mod q £ 

V= (u l x1+cy1 u 2 x2+cy2 v" 1 ) r V= (processing which calculates 

mod p *tfrtt&jmk. u1 x1+cy1 u2 x2+cy2 v 1 ) r mod p) 
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V= lX+fo&Zb &$£M LTBf The recording medium on which was recorded 

#;£©jE^tt£tfefE^5&g£ the program which lets the computer of a 

is \?=l~$\z. decoding person apparatus perform processing 

^T£*5^P^7A£iE&L which checks that it is V= 1 and verifies the 

/fcf2#PdRft 0 correctness of a cryptogram. 

61 [CLAIM 16] 

V ^ 1 & fi* tf y V =3 ^ y Processing which will exhibit BC (r) using bit 

h * is h §S$t (B C) SrJBv vr commitment function (BC) if it becomes V!=1, r 

B C ( r ) Sr^Mt" &%±Mh, which comprises BC(r), it uses x1, x2, y1, and 

B C ( r ) £rffih$ci~<5 ri:, ^ y2 which comprise public key X and Y, the result 

Hfl^X, Y5:Mt5xl, x of having performed calculation used as 

2, y 1, y 2£fflV>T, (u 1 (u1 x1+cy1 u2 x2+cy2 V 1 ) r mod p is V, the recording 

x1+cy1 u 2 v * 1 ) r mod p & medium characterized by including the program 

SfHSSrt? ofaSSJIr^v-CfoS which performs processing which it proves to a 

w <t $\ r, x 1 , x2, y 1 , third person by zero knowledge proof without 

y 2 {zm-fZWfe&Mb £1* M leaking the secret about r,x1,x2,y1,y2. 

fro 



1 7 ] [CLAIM 17] 

p ^r^^^^^s q £: p — 1 It considers it as the big prime number which 

£?PJ9^5^#&^Bc£ U> G gives a clear-cut solution for p to a big prime 

q USSiZ p <D$L$fc q <D£B# number, and gives a clear-cut solution for q to 

S££r^i~ g 1 , g 2 p-1, gq shall express the partial group of the 

£: G q (Dye t H SrflUfj^ y digit q of multiplicative group Zp. 

v^iifctU nA^tS: It carries out g1 and g2 the origin of Gq, let H be 

Pl~Pni:U ^MItM? P j a general purpose hash function, it sets n 

fi@^£>^PHitw j £rf^,(x persons* decoding person to P1-Pn, let the 

1, x2, y 1 , y2, z ) e secret value (x1 j, x2 j, y1 j, y2 j, zj) 

Zq 5 ^ 3 t < n SrtftTil-L corresponding to a value wj which each 

# V Mfi t ©®ffi#1Rifc{:: £ 9 # decoding person Pj has the inherent open value 

Wtl-X%btiZ), 1i£w j {c^fj^ wj, and is acquired by dispersing (element 

-tSIBM (x 1 j , x 2 j , of)(x1, x2, y1, y2, z) Zq 5 with the secret 
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y 1 j , y 2 j , z j ) £t^t^ dispersion method of threshold-value t which 

#P j (DWfe&k U X j = g fills 3 t<n be the decoding person's Pj secret 

1 x1j g 2 x2J mod p , Y j - g key, let Xj=g1 x1j g2 x2j mod p, Yj=g1 y1j g2 y2j mod p, 

1 y1j g2^ j mod p , Z j = g and Zj=g1 zj mod p be the decoding person's Pj 

l zj mod p £r^7H?P j <D<£zf$ public key, processing which forms the secret 

H(hU value rj corresponding to the value wj obtained 

JLifc r EZq^Lt^fSt (D%& by dispersing random-number r(element oOZq 

VftmLX'&bti with the secret dispersion method of 

SlwjC^fS^ffir j threshold-value t, let X=g1 x1 g2 x2 mod p, 

&±J&-fZ>%hmt . Y=g1 y1 g2 y2 mod p, and Z=g1*mod p be public 

X = g 1 x1 g 2 x2 mod p , Y = key, it considers it as the cryptogram of 

g 1 y1 g 2 ^mod p , Z = gl z Plaintext m, the correct cryptogram is 

mod p L,W-Xm(D processing which fills u1=g1 r mod p, u2=g2 r 

fff-^Ci: U ELV^Bt^fiu mod p, c=H (u1, u2), v=X r Y cr mod p, and e=mZ r 

1 = g 1 r mod p , u2 = g2 r mod p, and receives cryptogram E= (u1, u2, v, 

mod p, c=H (ul, u2), e), processing which calculates c=H (u1, u2), 
v =X r Y cr mod p, e =mZ r 
mod p %mtcLXV%-%XE = 
(u 1, u 2, v, e) SrSIf 

c=H (u 1, u 2) £fh^-f 



Vj= (ul xW, u2 Wj v Vj= (processing which calculates 

- 1 ) Imod p£tf3?«*Mg<t. ul^^^V^^mod p) 

V j £ L # V ^ t 2 t£IT Processing which transmits the secret value Vjk 
<7)^iI^rig^^^t5:&(Cct corresponding to a value wk acquired by 
ifcLT#t>ti<5, {if w k {c£j-j& dispersing Vj with t or more threshold values 
-fSMjiV j k £r^Mg-^#P and a verifiable secret dispersion method 2t or 
k (D^gic^ff-^SMat , less to each decoding person's Pk apparatus, 
$L<D^X (DlM^^^WLP kfrb processing which receives Vkj from all other 

V k j $:Sft"t"5MSi:> decoding person apparatus Pk, processing 

V j &l&(D^kX<D& J £r%^W:^ which transmits Vj to all other decoding person 
&iti~Z)%±M t x apparatus, 

j&(D±X<DU^^^W:t>bV k Processing which receives Vk from all other 
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$rS{fi"5MS^x . decoding person apparatus, processing which 

Vk j £flk©£T©®##3£8 transmits Vkj to all other decoding person 

^?£iB'tZ)%±Mb^ apparatus, processing which verifies that each 

# V k ffilE LlMtt"C&5 - t & Vk is the correct value using Vkj from all other 

fa<DdkX<D'&^%^Wfrb<DV decoding person apparatus, if correct, it will 

k j £/Bv>T^fIE-f choose 2t+1 piece among checked Vk(s), it 

IE Li'* blfeW &tltc V k £> 5 ^> examines whether the value V decompressed 

2 t + lflSSriitRL* JiSfr£l$(c with the secret decompression procedure with 

^fi"6®f^^7c¥Jfi{Cj: respect to an index part is equal to 1, if not 

L1tmv& 1 ^ U^5*>«r equal 

&v^&P>tffiiitf>2 It repeats a secret decompression procedure 

t + 1 1@©ffl^£;b*-T?|^{C similarly in other 2t+1 piece combination, about 

$5^tK^^JIB^Ift9iSL> all combination, if the decompression value is 

©jRa^-^^tcov^-CV^-ftLfe not all equal to 1, it will judge that the 

^Tcffi^ i {c^L< ftl^^. cryptogram is irregular, the recording medium 

^(DVff-^rX&TFjEk^lfeL^ — on which was recorded the program which will 

ott 1 [il/£5ll^'a t>Wfc let the computer of a decoding person 

ofc&S)f£ % ^tDBf-^-^t^rlEL apparatus perform processing which judges that 

l^£$J^~5MJI<t , Srtl-^f the cryptogram is correct if there is combination 

>- t° ^ — ^ fcHfr £ * set to 1 at least one. 

fro 



[ft** 1 8 1 [CLAIM 18] 

p £>fc#&^Bu q p — 1 It considers it as the big prime number which 

£r?SRJ?>-§J5;k#&^Bc£ G gives a clear-cut solution for p to a big prime 

q fi^ftSI Z p <D#[Mt q number, and gives a clear-cut solution for q to 

U^^i~h<Dt g 1 , g 2 p-1, gq shall express the partial group of the 

5rG q (D% t U H £#UB^ y digit q of multiplicative group Zp. 

v^Mifci: It carries out g1 and g2 the origin of Gq, let H be 

( x 1 , x2, y 1 , y 2, z) a general purpose hash function, 

eZq 5 5r®4fc», X = g l x1 (x1,x2,y1,y2,z) 

g2 x2 mod p, Y=gl y1 g 2 Let a secret key, X=g1 x1 g2 x2 mod p, 

^mod p, Z = g l z mod p& Y=g1 y1 g2 y2 mod p, and Z=g1 z mod p be public 

5 (X, Y, Z) &<&mmt U key for (element of)Zq 5 (X, Y, Z), the 3 sets 

W-Xm^yft-t 3B£#:£E fit c £ (u1, u2, v) which the cryptogram E with respect 
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H (u 1, u 2) mod q t LX to Plaintext m makes c H(u1,u2)mod q, and 

u l = g l r mod p, u 2 = g constitute u1=g1 r mod p,u2=g2 r mod p,v=X r 

2 r mod p , v = X r Y cr mod p Y^mod p are included, processing which forms 

& 5Ho|E^ ( u 1 , u 2 , v ) a random number r, 

±12 r SrJEl^T x 1 ' = x 1 • Processing which calculates x1-x1 and rmod q, 

rmod q, x 2' =x 2 • r x2'-x2 and rmod q, y1*=y1 and rmod q, and 

mod q , y 1 ' = y 1 • r mod y2'-y2 and rmod q using the above-mentioned r, 

q , y 2 ' = y 2 • r mod q 2: processing which receives Cryptogram E, from 

t\*^i~&%hMb, the cryptogram which received, it calculates 

Vg^JCE £Sffi~5£0f3£: x c=H(u1, u2) mod q, processing which calculates 

£ff Ltc^Xfab, c=H(u V=u1 xr+cy1 'u2 x2J+cyZ v- r mod p, the recording 

1 , u 2) mod q£rff#L. V medium on which was recorded the program 

= u 1 x1+cyr u 2 ***** v "Triod which lets the computer of a decoding person 

P &:fHirf~<5 MS t > apparatus perform processing which verifies the 

±f2V^ 1 (C^LV^r t correctness of a cryptogram when the 

~tZ>Z- klz£ o TBf -^S:© jEM§ above-mentioned V checks that it is equal to 1 . 

y p ^ 9 a * eft u tctmm 

fro 

[St*®l 9 1 [CLAIM 19] 

1 8 OfSSSKfr (C*JV^ In the recording medium of Claim 18, in V, to the 

T\ case of not being equal to 1, (X, Y, V) are 

V# 1 (d^L< ftV^^C, X=g1 x1 g2 x2 modp for it being (x1,x2,y1,y2, r), 

(X, Y, V) ti*^ fo£ (xl, y=g1 y1 g2 y2 mod p, use zero knowledge proof for 

x2, yl, y2, r){C*tL satisfying V=u1 x1r+cy1r u2 x2r+cy2r V f mod p. 

tX=g l x1 g 2 ^mod p , Y Have made secret (x1 , x2, y 1 , y2, r). 

= g 1 y1 g 2 ^mod p , V = u The recording medium characterized by the 

jxir+cyir u 2 x2r+cy2r y -r mod p a b 0ve . me ntioned program including the 

£rfif£1~5^ t %^&WlU$\%: program which lets the above-mentioned 

#j l^~C (xl, x2, yl, y computer perform processing which it proves to 

2 , r ) £r$5££ t Ltc £ 3:tlfiE a verification person. 
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# m m m -r s & a & ±1 a =» y t° 

a-* fcUfT 7*P ^7 A 

[»*S2 0] [CLAIM 20] 

ft 1 9 OfE&jSMfcfcfcv^ In the recording medium of Claim 19, g and h 

are under Gq whose discrete logarithm of h 

g, h fig $rJ^ii"6 h <DW$L which uses g as a bottom is unknown, 

^i^^tfc5J:5^Gq© comprised such that processing which forms 

Tct'fco^ random numbers r, a1, a2, b1, and b2, 

SLitr, a 1, a 2, b 1, b processing which exhibits R, RX1, RX2, RY1, 

2&&f&-rz>tmk, and RY2 used as R=g r h a mod 

R = g r h a mod P> RX1=R p,RX1=R x1 h a1 mod-p,RX2=R )(2 h a2 mod-p,RY1=R y 

x1 h a1 mod p % RX2=R x2 h 1 h b1 mod-p,RY2=R y2 h b2 mod p, 
a2 mod p, RYl=R y1 h 
b1 mod p, RY2=R y2 h 
b2 mod p&5R, RX1, RX 
2, RY1, RY2HW5 

(X, Y, V, R, RX1, R To (Xl,x2,y1 ( y2,r l a l a1,a2,b1 l b2) with 

X2, RY1, RY2) #*>5 (X,Y,V,R,RX1,RX2 > RY1,RY2), x=g1 x1 g2 x2 mod p, 

(xl, x2, yl, y2, r, y=g1 y1 g2 y2 mod p, v=u1 x1r+cy1r U 2 x2r+Cy2r 

a, al, a2, bl, b2) V'mod p, r=g r h a mod p, RX1=R x1 h a1 mod p, 

{C#LT, RX2=R x2 h a2 mod p, RY1=R y1 h b1 mod p, the 

X = g 1 x1 g 2 ^mod p , Y = recording medium characterized by the 

g 1 y1 g 2 ^mod p , V = u 1 above-mentioned program including the 

x1r+cy1r u 2 x2r+cy2r y -r mod program | ets the above-mentioned 

p, R=g r h a mod p, RX1 computer perform processing which proves 

= R x1 h a1 mod p „ R X 2 = R filling the relation used as RY2=R y2 h b2 mod p by 

* h a2 mod p, R Y 1 = R y1 h zero knowledge proof. 
b1 mod p, RY2=R y2 h 

b2 mod p 45B8fl5^:Sr»fc1- 
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7 s P ^ 7 A flS-gtf r t t 

[fi5fc3l2ll [CLAIM 21] 

fi^^S 1 8 <£>ffi^g#:(c:fo^ In the recording medium of Claim 18, it sets n 

"C, persons' decoding person to P1-Pn, let w be n 

n AO'lg.-%r% &r P 1 ~ P n t root of 1 in mod q, it makes wj into v/ 1 mod q, in 

U w£ mod q*CCDl<£>n^ 1<j<n, it shall fill wj!=1. 

%kk L, w j ^w 1 " 1 mod q £ It assigns each decoding person Pj a value wj, 

1 < j < n {C&I^-C w j ^ let the decoding person's Pj secret key (x1 j, x2 

1 £r«f fct" L> ^r^-^lf j, y1 j, y2 j, zj) be the secret value corresponding 
P j (Cfitw j £r!RJ 9 ^ T, to a value wj acquired by dispersing (x1 , x2, y1 , 

W P j <Z>M£i ( x 1 j , y2, z) with the secret dispersion method of 

x 2 j , y 1 j , y 2 j , zj) threshold-value t which fills 3 t<n, let Xj=g1 x1j 

12, 3 t <n &iifc-r LtvMit g2 x2J mod p, Yj=g1 y1j g2 y2j mod p, and 

t <7>$^#ffcj£tc £9 ( x 1 , Zj=g1 zj mod p be the decoding person's Pj public 

x 2 , yl, y 2 , z ) £#«C key (Xj, Yj, Zj), 
LT#e>ft3, fltw j {CM^-T 
Wfi U 

X j =g l x1i g 2 x2i mod p, 
Y j = g l* 1 ' g 2* mod p, 
Z j =g l 2i mod p£5 (X j , 
Yj, Z j ) «r«##P j ©4* 
Htt£ U 

SUgCr 6Z q^rL^V^tco^ Processing holding the secret value rj 

<9#ffcLT#£>*L corresponding to a value wj acquired by 

5 x jfilw j icttfe-i" &%£$5i\tL r dispersing random-number r(element of)Zq with 

j £rt£^"t" 5 t % the secret dispersion method of threshold-value 

rxl, rx2, ryl, ry t, processing which calculates and maintains 

2 ZZMft L# VMK t (DM secret value x1j',x2j',y1j',y2j' corresponding to a 
^ft&^i'P^ifcL'Cjlfkti value wj obtained by each dispersing 
5, fitw j (c£tJ£-t~5$J$Hiix rx1,rx2,ry1,ry2 with the secret dispersion 
lj' , x 2 j ' , yl j' , method of threshold-value t by the distributed 
y 2 j ' %ftWL.^Mfe\c&.'2X multiplying method, reception of a cryptogram 
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tf^LT^-f will calculate c=H (u1, u2), it calculates 

Bf«SrM"rSt,c=H(u Vj=u1 x1/+cy1f u2 x2/+cy2f v- fj mod p f processing 

1 , u 2 ) £rff- % L x V j = u which transmits Vj to all other decoding person 

1 xif+cyi/ u 2 x2f+cy2f y hj moc j p apparatus according to a broadcast type 

SrfHS ^^S!iift8&{Cct 9 , communication channel, processing which 

V j ZttXD^XO'iM^^W^ checks that the index part of (V1-, Vn) is the 

S&flM" S i: . coding word of a BCH code, 
(VI, Vn) 

±lEfta ^[pPlc^-^S^^^7c# The recording medium characterized by the 

WSM J: 0 LfcfiSV^ 1 (C^ above-mentioned program including the 

LV^r Cio program which performs processing which 

TR£-^:£<D;EStt£^H1~5M verifies the correctness of a cryptogram by 

Mt £±12^ ^t 0 ^— ^(Ci 9 checking that the value V decompressed with 

^ft&Tt&yv ?7 J^&AinZy the secret decompression procedure with 

p ^7 A^^tp r. <t ^QfaWLk-t respect to the above-mentioned index part is 

5f2$N&& 0 equal to 1 by above-mentioned computer. 

[tt*fi2 2] [CLAIM 22] 

W^JI 2 1 (OfESSSEfttfcV^ In the recording medium of Claim 21, it shall fill 

t\ 2 t<n for threshold-value t. 

L#vMitt$r2 t<n Srf^fci" Instead of the processing which checks that the 

i><DhL^ index part of (V1..., Vn) is the coding word of a 

(VI, — , Vn) ©JggcSRfl* BCH code ], without Vj leaks the information 

BCH^f©3-K!7-KtS) concerning that it is the correct calculation 

&Zh&mkr&tm<Dftt>» result of u^Wiu?* 1 ^^ mod p, and ] 

tc. V j 365 u l x1 ^ f u 2 x2f+cy2f x1j , ,x2j , l y1j , l y2j , l rj I processing which it proves to 

v^mod p (DIE LV^ff^^^: another decoding person by zero knowledge 

"Cfc<5d<t£:xlj' , x2 proof, it specifies the decoding person Pj in 

j ' , y 1 j ' , y 2 j ' , r whom zero knowledge proof failed as a 

j {c Mi" 5 if "t~- 1 1£ deviation person, the recording medium 

<x ^^PfilEK(c iotttoS characterized by including the program which 

^%\z.%W\ir %>%]Mk ^ lets the above-mentioned computer perform a 

*ftlillEW* J 5feKUfc*WP deviation person's secret value x1j\ x2j\ y1j\ 
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j &$>$&%tt LT#^L, ifelfc y2j', and processing that decompresses rj using 

^£<D%&$ii\iLx 1 j ' , x 2 j ' , a secret value recovery procedure in the 

y 1 j ' , y2j', rj above-mentioned program. 

[»*«2 3] [CLAIM 23] 

BMfc!g2 1 <Ofe^^ft:(CioV^ In the recording medium of Claim 21, when 

(V1..., Vn) are not the coding words of a BCH 

(VI, Vn) ^BCHi code, without it leaks the information 

^rO) a — K 17 — KT?&1>4§£ concerning that Vj is the calculation result of 

(C. V j 755 u 1 x1f+cy1f u 2 x2 ' +cy2j> u 1 x1 ' + ^ 1 'u2 x2 ' + ^V* mod p, and ] 

v^mod p<Z)|l-M*tfc5 x1j > a x2j' l y1j',y2? v q' a it specifies the processing 

wir^rxlj 7 , x2j' , y which it proves to another decoding person by 

1 j ' , y 2 j ' , r j MIIH" zero knowledge proof, and the decoding person 

5 tfr # Srif f)t^.i:4<, ^F£n Pj who failed in the above-mentioned proof with 

tfcWfflfc£<>Xi&<D&-%r%tlZjSE a deviation person, the recording medium 

ffl1r t , JblEmEW (cffeSJc characterized by the above-mentioned program 

Lfc&##P j £i&lft#£#Jt including the program which lets the 

i&Ite^^S^iiSx 1 j' , above-mentioned computer perform processing 

x 2 j' , ylj' , y 2 j' , which decompresses a deviation person's 

r SfllsiSIeiat^lHMv^ secret value x1j\ x2j\ ylj 1 , y2j\ and rj using a 

T^7c"^^)MSi: 4:±fB^ V t° secret value recovery procedure. 

[i*«2 4] [CLAIM 24] 

p£r;*:#&^Bu q£p— 1 A cryptogram verification apparatus, which 

£#J9i*03;fc:#&^ifc£ G considers it as the big prime number which 

q {£^2fei¥Z p <D#lWcl (DWA gives a clear-cut solution for p to a big prime 

8¥&rS~f h<Db g 1 , g 2 number, and gives a clear-cut solution for q to 

&G<i<D7i:k H£r#Ll/^;/ p-1, gq shall express the partial group of the 
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is MSIc t L % digit q of multiplicative group Zp. 

( x 1 , x2, y 1 , y 2, z) It carries out g1 and g2 the origin of Gq, let H be 

g z q 5 £rg£$g$l % X = g 1 x1 a general purpose hash function, 

g 2 x2 mod p, Y=g l y1 g 2 (x1,x2,y1,y2,z) 

^mod p, Z = gl z mod p& Let a secret key, X=g1 x1 g2 x2 mod p, 

3 (X, Y, Z) U Y=g1 y1 g2 y2 mod p, and Z=g1 z mod p be public 

W-XmiZfri-ZVlfoXEttc £ key for (element of)Zq 5 (X, Y, Z), the 

H (ul, u 2) mod q t LX cryptogram E with respect to Plaintext m is 

ul = gl' mod p , u 2 = g considering c as H(u1, u2) mod q. 

2 r mod p,v = X r Y w mod p It is the verification apparatus of the cryptogram 

^SEoifi^. (ul, u 2 , v ) containing the 3 sets (u1, u2, v) used as u1=g1 r 

&'at?f%-S§rX<DtiiwE&WX*ho mod p,u2=g2 r mod p,v=X r Y cr mod p, comprised 

X ^ such that means to form a random number r, 
S# r 



c = H ( u 1 , u 2 ) mod q $r Means to calculate c=H(u1 , u2) mod q, means 

th»-rS¥Si. to calculate V=(u1 x1 ^u2 x2+<:y V 1 ) r mod p, 

V = ( u 1 x1+cy1 u 2 x2+cy2 v" 1 ) ' means to verify the correctness of a cryptogram 
mod p £rtHS"t~3 t ^ when V checks that it is equal to 1 

V & 1 \z.%f L V» r t £lftig-f -5 Are provided. 



[ft^2 5 ] [CLAIM 25] 

ft^fc 1 ! 2 4 OBf -§-3d&fE^fil A cryptogram verification apparatus, in which in 

\z.-$d\^X^ the cryptogram verification apparatus of Claim 

V # 1 fc^ L < ft v^^{c % 24, when V is not equal to 1 , v receives a third 

^^PfSIEPJ^rfflv^T^H^fcv person at a random number r using zero 

#SU& r LX ( u 1 x1+cy1 u knowledge proof (it has means to prove that it is 

2 x2+cy2 v' 1 ) ' mod p <D£ o K the result of calculating like u i*i+<*i U 2 x24c yV 1 ) r 

trtt Lfdtm-CfcS w t SrfiEPJ mod p.). 

[ff^2 6l [CLAIM 26] 
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p£r;fc:#&^^ q£p — 1 A cryptogram verification apparatus, which 

&Wlty$]Z>J:1*fj:^Wtt G considers it as the big prime number which 

q fi^feil Z p <D#lM q (DW£ gives a clear-cut solution for p to a big prime 

%$%:Mi~h<D k g 1 , g 2 number, and gives a clear-cut solution for q to 

£rG q (Djut H&Vlffis^y p-1, gq shall express the partial group of the 

> IDifc; £ U » digit q of multiplicative group Zp. 

nA©l^f5:P It carries out g1 and g2 the origin of Gq, let H be 

L, #t|-^lfP j tlH^co&Hfl a general purpose hash function, it sets n 

ffiw j persons' decoding person to P1-Pn, each 

(xl, x2, yl, y 2, z) decoding person Pj has the inherent open value 

eZq 5 £r N 3t<n ^Mtc~t wj, let the secret value (x1 j, x2 j, y1 j, y2 j, zj) 

U^vMtt (D^^^t5:&(cJ:«9 corresponding to a value wj acquired by 

ftw j {CjStf dispersing (x1,x2,y1,y2,z)(element of)Zq 5 with 

Jftt^S^iiL (x 1 j , x 2 j , the secret dispersion method of threshold-value 

y 1 j , y 2 j , z j ) £1g7§- t which fills 3 t<n be the decoding person's Pj 

^ P j <DW&m t L x secret key, let Xj=g1 x1i g2 x2j mod p, Yj=g1 y1j g2 y2j 

X j =g l x1j g 2 x2j mod p, mod p, and Zj=g1 2j mod p be the decoding 

Yj=gl y1j g2 y2i mod p , person's Pj public key (Xj, Yj, Zj), 
Z j = g l zj mod p&5 (X j , 
Y j , Z j ) £*g«P j <D& 

mmt u 

&*<D'&^%^WMfc\i. A safe communication channel shall be 

foZ>h<DbL^l£tc^ between each decoding person apparatus, 

^^-^f^ittex ftfltf)^ j|£>tll Moreover, that each decoding person apparatus 

7HfS*iS;$S|Rl— ^ft^^rSHii" receives the content with all the members' same 

<5 CI t fci&tiE&ti£tfc&^Mit other decoding person apparatus shall utilize 

SfefrftlHlVt &h<Dt the broadcast type communication channel 

atrGZq^LtV^f t(Di guaranteed. 

J: 9#tfcLT*#kti The decoding person Pj shall maintain the 

5% filw j (c^fj^^S^^ffi r secret value rj corresponding to a value wj 

j ^r^-^fP j fe$zW~t&h<D acquired by dispersing random-number 

t r(element of)Zq with the secret dispersion 

E = ( u 1 , u2, v, e) method of threshold-value t. 

X=g l x1 g 2 x2 mod p, Y= Let E= (u1, u2, v, e) be a cryptogram with 

g l y1 g 2 y2 mod p, Z = gl z respect to plaintext m which used 
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mod p &&mm k Ltc^JCm X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and Z=g1 z 

izft't Z>W$t-%rX k IELV>Bf mod p as public key, the correct cryptogram is 

ul = gl r mod p , u the verification apparatus of the cryptogram 

2 = g 2 r mod p, c=H (u which satisfies u1=g1 r mod p, u2=g2 r mod p, 

1 , u 2), v =X r Y cr mod p, c=H (u1, u2), v^X'Y^mod p, and e=mZ r mod p t 

e=mZ r mod p?r^lJ£"^5He comprised such that means to calculate c=H 

-^;£<^fE^fi^fcoT N (u1, u2) by receiving E, 
ESrSfll tr c=H (u 1, u 

2) &m-rz^9Lk* 

V j = (u l* 1 ** 1 ^ 2 x2ifcy2j v Vj= (means to calculate 
- 1 ) "mod p 5 ul^^^V^^mod p) 

V j ^L#^ft £JL± 2 t SXT It disperses Vj with t or more threshold values 
<DfeU^$3&W£W$£\ZL J: «9 # and a verifiable secret dispersion method 2t or 
HtLT. itw k lZttJfc*i-Z)%&$5 less, means to acquire the secret value Vjk 
ffiV j k &^gkb > corresponding to a value wk, means to transmit 

V j k £:4HK##P k©3£fiM Vjk through a communication channel safe for 
^^^iif&^^r^L'C^fH't'S each decoding person's Pk apparatus, means 
^fkk* to transmit Vj to all other decoding person 
fdl^:£T<Z}t|-^fSiSP k frh apparatus according to a broadcast type 

V k j £:3£fiH"<5 k^ ik&ZtlM communication channel if Vkj is received from 
f&SS(C £ «9 , V j S:i©4t© all other decoding person apparatus Pk, 

V k £SflM~<5 £ ^ 3tfj£~t~<5 V Means to transmit corresponding Vkj to all other 
k j ^r^^MiiftS&fc J: <9ftfeO decoding person apparatus according to a 
^TcD^^^^g^i^ft"^6¥ broadcast type communication channel if Vk is 
Wtk* received, means by which each Vk verifies 
#Vk#*ELVM£" , efe5w££: using Vkj that it is the correct value, if correct, it 

V k j ^^T^fE-fS^I* will choose 2t+1 piece among checked Vk(s), 
ks means to decompress V with the secret 
IE Ll^fitl&^tLTcV k <D o h decompression procedure with respect to an 
2 t + l{@£rlMRL, Jff&S&lc index part, means to examine whether the 
Mir 58HSfc7c¥HBfc«k «9 V£ decompressed value V is equal to 1, 
fe%1rZ>^Wtk, 

^icLtcmv^ 1 t^U^S 
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1 (C^ L < ft^ftbtifoo |f v is not equal to 1 

2 t + 1 ^^l^^frit-t'lRtfi It repeats a secret decompression procedure 

fc8Hfc&7c#Jffi£ri|fc0 3gU V similarly in other 2t+1 piece combination, 

& 1 (c^ LV^tS^fH^S^fc means to examine whether V is equal to 1, 

about all 2t+1 piece combination, if the 

2 t + 1 i©^t©E^fct decompression value is not all equal to 1, it will 

lZ-ol^X\/^Ttih1M.7ii$.tt 1 f~ judge that the cryptogram is irregular, means to 

^L< &W£f>f£, judge that the cryptogram is correct if there is 

Sr^FIEifiJ^L, -oft 1 combination set to 1 at least one 

>&5l&*£';b*#S>ofc*& Are provided. 
If, *©lt#:££iEL.v^!BJj£ 

«i:-r*ffif*3tttliE««. 

[»^2 7] [CLAIM 27] 

ffc^Jg 2 6 OBf -f-^t^fE^g A cryptogram verification apparatus, in which in 

fcfcv^Tx the cryptogram verification apparatus of Claim 

w £ mod q X<D 1 n i 26, let w be n root of 1 in mod q, each decoding 

L x 4MS-^ffi£ % w j £rw*" 1 mod person makes wj w*" 1 mod q, it considers it as 

qi:U 1< j <n(cioV , >'Cw the eigenvalue of public presentation of wj 

j # 1 &Mtc-t£. 5&w j £r4£ which fills wj!=1 in 1<j<n, means to calculate 

ffi(DW&\$ib L. Dj=u1 2 'mod p, means to transmit Dj to all other 

Dj = ul ^mod p £rfr3¥"?~5 decoding person apparatus according to a 

^Wt t > broadcast type communication channel, 

d j ztkmmmmmc £<9m<D 

ig-ffLTt (Dl, D n ) <D Means to check that the discrete logarithm 

u 1 £riE<t"t" £MW(.M$k&B C which uses as a bottom u1 which received 

HfJ#0>3— Kt7— Ktfc^r (D1..., Dn) is the coding word of a BCH code 

t £«fiB1- 6 ¥S ^iiSr Are provided. 
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[M#3g 2 8 ] [CLAIM 28] 

p Sr^cfr&^Sfc* q p — 1 A cryptogram verification apparatus, which 

£:#J!9iJ05^:#&^i&£ G considers it as the big prime number which 

q f±i^j£S£Z p <D#lM q £>p|5# gives a clear-cut solution for p to a big prime 

t g 1 , g 2 number, and gives a clear-cut solution for q to 

&Gq(D7tb HSriFL^J^^ p-1, gq shall express the partial group of the 

i/ =l H^c t L » digit q of multiplicative group Zp. 

( x 1 , x2, y 1 , y 2, z) It carries out g1 and g2 the origin of Gq, let H be 

ez q 5 X=gl x1 a general purpose hash function, 

g2 x2 mod p, Y=gl y1 g2 (x1,x2 l y1 l y2 l z). 

^mod p , Z = g 1 z mod p t£ It is a secret key about (element of)Zq 5 , it is set 

5 (X, Y, Z) Z&mmtU to X=g1 x1 g2 x2 mod-p,Y=g1 y1 g2 y2 mod-p,Z=g1 z 

¥*m{C^5Rf#;fcEi±c«: mod p. 

H (u 1 , u 2) mod q t LT Let (X, Y, Z) be public key, the cryptogram E 

ul = gl r mod p , u2 = g with respect to Plaintext m is the verification 

2 r mod p, v=X r Y cr mod p apparatus of the cryptogram containing the 3 

fr5Ho&U^ (ul, u 2, v) sets (u1, u2, v) which constitute u1=g1 r mod 

&&t*l$&X<DlkwE&mT*1bi p,u2=g2 r mod p,v=X r Y cr mod p by making c into 

~C\ H(u1,u2)mod q, comprised such that means to 

%Mt r ^^Effc-tZ^gkb ^ form a random number r, 

x 1 ' = x 1 • r mod q , x Means to calculate xt'=x1 and rmod q, x2-x2 

2 ' = x 2 * r mod q , y 1 ' and rmod q, y1'=y1 and rmod q, and y2'-y2 and 

= y 1 • r mod q , y 2' = y rmod q, means to calculate c=H(u1, u2) mod q 

2 • rmod q £:ff-^i~5^I?: from the cryptogram which received, this 

calculation result and means to calculate 

^itLtc^Xfrb, c = H(u V=u1 x1,+cyr u2 x * +cy Vmod p from a receiving 

1 , u 2) mod q ^rtf^^S^ cryptogram, means to verify the correctness of 

Wth* w^ft^^^^SffffB-^ a cryptogram when V checks that it is equal to 1 

Xfrb. V=u l x1> +cyr u 2 Are provided. 
x2,+cy2 ' v ^mod p£ft-*1-5# 
ft*. 
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[»*3g2 9] [CLAIM 29] 

If JfrS. 2 8 (Dtig^rJttfkW&W. A cryptogram verification apparatus, in which in 

{CjoV^T^ the cryptogram verification apparatus of Claim 

V^l icm t < fcV*»£-fc, 28, when V is not equal to 1, (X Y, V), with 

(X, Y, V) #\ fo<5 (xl, respect to a (x1, x2, y1, y2, r). 

x 2 , y 1, y 2 , r ) L Use zero knowledge proof for satisfying 

XX= g l x1 g 2 x2 mod p, Y X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and 

= gl y1 g2 y2 mod p, V = u v=u1 x1r+cy1r u2 x2r+cy2r V r mod p. 

1 x1r+cy1r u 2 x2r+cy2r v " r mod It has means to prove to a verification person 

P SrSt J5Li~ Sr^ftH^fE^ apparatus making secret (x1 , x2, y 1 , y2, r). 
SrJflV-C (x 1, x 2, y 1, 
y 2, r) £8Hfc£Ut**tft 



[f&&>l3 0] [CLAIM 30] 

jff3£:>g 2 9 iOB^^-^t^fiE^g A cryptogram verification apparatus, in which in 

(c&V^'C, the cryptogram verification apparatus of Claim 

g, hJig $:$£.b-f%> h<DM1& 29, g and h are under Gq whose discrete 

^fifoS^ftiTrfcS X o &G q <D logarithm of h which uses g as a bottom is 

7c"Cfco"C, unknown, comprised such that means to form 

SL^C r, a 1 , a 2 , b 1 , b random numbers r, a1 , a2, b1 , and b2, means 

2 MfSfSt, to exhibit R,RX1,RX2,RY1,RY2 used as R=g r h a 

R = g r h a mod p. RX 1 =R mod 

x1 h a1 mod p, RX2=R x2 h p,RX1=R x1 h a1 mod-p,RX2=R x2 h a2 mod-p,RY1=R y 

a2 mod p, R Y 1 = R y1 h 1 h b1 mod-p,RY2=R y2 h b2 mod p, 
b1 mod p, RY2=R y2 h 
b2 mod p&5R, RX 1, RX 
2, R Y 1 , RY2^|fS 



(X, Y, V, R, RX1, R To (Xl,x2,y1,y2,r,a,a1,a2,b1,b2) with 
X2, RY1, RY2) frhZ (X,Y,V,R,RX1,RX2,RY1,RY2),x=g1 x1 g2 x2 modp, 
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(xl, x2, yl, y2, r, y=g1 y1 g2 y2 mod p, v=u1 x1r+cy1r U 2 x2r+cy2r 

a, a 1, a2, bl, b2) v'mod p, r=g r h a mod p, RX1=R x1 h a1 mod p, 

iZftLX, RX2=R x2 h a2 mod p, RY1=R y1 h b1 mod p, 

X = g 1 x1 g 2 ^mod p , Y = RY2=R y2 h b2 mod p 

g 1 y1 g 2 ^mod p , V = u 1 Means to prove filling the relation used as this 

xlr+cylr u 2 x2r+cy2r y -r mod by zerQ know | ed g e proof 

p , R = g r h a mod p, RX1 Are provided. 
= R x1 h a1 mod p, R X 2 =R 
x2 h a2 mod p, RY 1 = R y1 h 
b1 mod p, RY2=R y2 h 
b2 mod p^Sll^lfct 

[M3 1] [CLAIM 31] 

ft^*g 2 8 <DB%-%rJc%kW&Wi A cryptogram verification apparatus, in which in 

(CjoV>T> the cryptogram verification apparatus of Claim 

n AOltt £r P 1 ~ P n t 28, it sets n persons' decoding person to P1-Pn, 

L x let w be n root of 1 in mod q, it makes wj into w*" 1 

w&r mod q X*<D 1 (Dn^fah mod q, in 1<j<n, it shall fill wj!=1. 

U w j Jrw*" 1 mod q t L, 1 It assigns each decoding person Pj a value wj, 

< j < n (C&V^w j # 1 &ii (x1,x2,y1,y2,z) 

fc-f ^co^ U #^-§-#P j (C Let (element of)Zq 5 be a secret key, let 

fiiw j SrtSfl 0 ST, X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and Z=g1 z 

( x 1 , x 2 , yl, y 2 , z ) mod p be public key, 

gz q 5 &m®mt u x= g 

l x1 g 2 x2 mod p, Y=g l y1 
g 2 ^mod p , Z = g 1 2 mod 

p&'jmmt U 

P j <£>$$S$i ( x 1 j , Let the decoding person's Pj secret key (x1 j, x2 

x2j, ylj, y 2 j, zj) j, y1 j, y2j, zj) be the secret value corresponding 

3 t < n £rr$i fct" L£ Wit to a value wj acquired by dispersing (x1 , x2, y1, 

t ©8MSS^ffefeM«t 0 (x 1, y2, z) with the secret dispersion method of 

x 2 , y 1 , y 2 , z ) £#ffc threshold-value t which fills 3 t<n, let Xj=g1 x1j 
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LT#f>ft5, Iw j C^t g2 x2j mod p, Yj=g1 y1j g2 y2j mod p, and 

Z>%&$Si$.b Zj=g1 Zj mod p be the decoding person's Pj 

X j = g 1 x1j g 2 x2j mod p , public key (Xj, Yj, Zj), a safe communication 

Y j =g l y1j g2 y2j mod p , channel shall be between each decoding 
Z j = g l Zj mod p &<5 (X j , person apparatus. 

Y j , Z j ) Sr^-^f P j P><ik Moreover, that each decoding person apparatus 
HiH t receives the content with all the members 1 same 

^^-^^^gP^fcifi, &± other decoding person apparatus shall utilize 

frilfii L> the broadcast type communication channel 

#^#^fi. i&<Di£gi<Dm guaranteed. 

^^^tt^l^^Oft^^Sffi"" It disperses random-number r(element of)Zq 

5 t ^^iiE$ti/?)S5c^Miifi with the secret dispersion method of 

KSrfi S threshold-value t means to acquire the secret 

iSLifc reZq^rL^vMitt <7)$£ value rj corresponding to a value wj, 

j ^Mfc-tzmmur j £#3 

rxl, rx2, ry 1, ry It each disperses rx1, rx2, ry1, and ry2 with the 

2 ^r^tb^tbL^vMif t £>$i^ secret dispersion method of threshold-value t, 

^ifrfeMJ: *9^t5[LT. fitw j means which it acquires by calculating secret 

l^Mfe-tS^^iM x 1 j ' , x value x1j' corresponding to a value wj, x2j\ y1j\ 

2j',ylj',y2j'£r and y2j' by the distributed multiplying method, 

#f^Sfef-£oTff-^LT# means to calculate c=H (u1, u2) about the 

%>^$kb » cryptogram which received, means to calculate 

SftLTcBt^fcoVNT, c = Vj=u1 x1f+cy1f u2 x2J+cy2f v- ,j mod p, means to 

H (ul, u2) £rft#i~5^ transmit Vj to all other decoding person 

Wt t , Vj - ul xif+cyif u 2 apparatus according to a broadcast type 

x2/+cy2j- y -n mod p^^.^;-^^^ communication channel, means to check that 

^ t , the index part of (V1 .... Vn) is the coding word of 

Jfrmmmtm^J: ^ Vj^t a BCH code, 

(vi, vn) om&m* 
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5M^7c¥HH(C Means to decompress V with the secret 

ct 9 V&1§.7t'tZ)^gkk s decompression procedure with respect to an 

til 75 Lfzi$.V& 1 Uv^r £ index part, means to verify the correctness of a 

5 w t M J: oTBf-^-^t cryptogram by checking that the decompressed 

<D^>\±£mUi-Z>^&t, £ value V is equal to 1 

fi^r b*W®Lt-fZ>^X Are provided. 

mmWo 

[f#3^S3 2] [CLAIM 32] 

ft 3 1 <D%% ^JC$kM2kvlL In the cryptogram verification apparatus of 

fc&l^T, Claim 31, it shall fill 2 t<n for threshold-value t. 

L#vMHLt£\ 2 t<n£:fiSifc It has means to prove to another decoding 

i~i>(DhL^ person by zero knowledge proof, without Vj 

(VI, V n ) (D^W%& leaking the information concerning [ that it is the 

B C Fm-^(D n — K 17 - K-Cfc correct calculation result of U 1 x1f ^ 1 ^2^ f+ ^V j 

5 r t ftt> <9 V mod p, and ] x1j\ x2j\ y1j\ y2j\ and rj instead of 

ji s ul x1/+cy1f u 2 x2f+cy2f v ^ checking that the index part of (V1..., Vn) is the 

mod p (DjE LV^fj-^^j^^fc coding word of a BCH code. 

5w<h£rxlj' , x2 j' , The cryptogram verification apparatus 

ylj' , y2j' , r j {C|§ characterized by the above-mentioned. 

ftmmw ^ <t o -cteoawK 

#LliEW« 5 n <b 

£#HfC ^5 l»#A«ttESE«. 

[fit 3^1 3 3 1 [CLAIM 33] 

fft^Jg 3 i (D^^XtikUMWi In the cryptogram verification apparatus of 

(c^oV^T^ Claim 31, means to prove to another decoding 

(VI, — , Vn) ^BCHi person by zero knowledge proof without leaking 

^(T)=l— K!7— K^Cfcl^jt^ the information concerning [ that Vj is the 

fc, Vj^u l x1 ^ u 2 x2 ' +cy2j " calculation result of u1 x1 ^ 1j u2 x2j,+cy2 V rj mod p, 

v - rj mod p <Z>tP£*S£-C£>5 and ] x1j\ x2j\ y1j\ y2j\ and rj when (V1..., Vn) 

w t £r x 1 j ' , x 2 j ' , y are not the coding words of a BCH code, it 

1 j ' , y 2 j ' , r j dM-f"* specifies the decoding person Pj who failed in 

<5fff$B£:;ii£>1~- , ^f£p the proof with a deviation person, a deviation 
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SiliE^lc ioTflfcoS^tcBE person's secret value x1j', x2j\ y1j', y2j*. means 

^"t"<5^fi<i: > to decompress rj using a secret value recovery 

Z<Dm%^9m.L P j procedure 

&i&Jfc# £ U MWl.%<D® Are provided. 

$5i\£ x 1 j' , x2 j' , yl The cryptogram verification apparatus 

j ' , y 2 j ' , r j £r$$H£ characterized by the above-mentioned. 

[$£W<DmmtemW] [DETAILED DESCRIPTION OF THE 

INVENTION] 

[0 00 1] [0001] 

[&W(Dmir5&ffiftm'l [TECHNICAL FIELD OF THE INVENTION] 

^(DffiMfe^ tt^iifiv'^xA This invention relates to the safe cryptographic 

"Ciifa ^rtT o a~(^ MiBfaW method from which the information about a 

^iSL> T^o^-^-ft^Sr^lil decoding person's secret key does not leak, 

L-tcMa-K ^^-f-^coS^li^ also when the content of communication is kept 

M"f 6tff$B;0 s 2!;ft<5- b&tj:^ secret when communicating by a 

^c^&Bt375-;2fi!ife(cH telecommunication system, and the content of 

Rff-ivfcOjE^teSrtS-^flStlfE decoding is exhibited. 

i'SRf^XtfefE^fe&lft©:/ Specifically, it is related with the cryptogram 

p AfS^lg^ (cPi-5 0 verification method that a decoding person 

verifies the correctness of a cryptogram, and its 

program recording medium. 

[0002] [0002] 

l$£M<D&ffi] [PRIOR ART] 

jlJR^^C^^^^V^-^-^icjo In a code type strong against a choice plaintext 

\/"Xtts Bm%-$:<DT£ia%fc7L<£) attack, a decoding person verifies that the 

^P^Sr^Ootv^ r k transmitting party of a cryptogram knows 

h fi*<Dj5feX%kU.'i'Z> 0 C original plaintext by a certain method. 
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r ame r-ShoupSf^ Cramer-Shoup code, paper R.Cramer and 

it . Ira X R.Cramer and V.Shoup:"A 

V.Shoup: "A practical public key Practical public key 

cryptosystem provablysecure Cryptosystem provablysecure 

against adaptive chosen Against adaptive chosen 

chipertext attack " , Advances It proposed by chipertext attack", Advances in 

in Cryptology-CRYPTO'98, Cryptology-CRYPTO'98 and LNCS 1462, 

LNCS 1462, Springer-Verlag, Springer-Verlag, pp.13-25, and 1998, it is the 

pp. 13-25, 1998 "CSI^^tLfc, public-key cryptographic method which can 

#Lffl— ^>^liSfc<Z># prove that it is strong to an adaptive choice 

ffiioctt^^Diffie-Hellman^J^PB^ cryptogram attack under assumption which is 

i©Eltt<h v>5 J£<ft Chti called a presence of a general purpose 

X\s^Z>Qzfe<DT7:, 2lJ£#JiltlR unidirectional hash function and the difficulty of 

f^;£#^{-3&V^ t ftUmx* a Diffie-Hellman evaluation problem, and which 

# 5 ^ li $^ j£ T* 5 0 is believed widely. 

Cramer-Shoup Bf-^te;— o<£>4£ A Cramer-Shoup code is a cryptographic 

^H^^ti^^S— ocoS^H^: method supposing the decoding person of one 

A<D&^%&MAfELtcWlr person with one secret key corresponding to 

^-jjfeXfo&o one public key. 

[000 31 [0003] 

^Ti£Hg^^<^i^i-i§J£ft) With the Cramer-Shoup cryptographic method 

ji£Rff£-^;£5k^c3&V n r t #*£n with which it is already known in the case of the 

b tbTV^ 5 Cramer-Shoup Bf-^ 1 decoding person that it is strong to an 

i£~Cfi. Sf x p > adaptive choice cryptogram attack 

q &s q fi$ p — 1 £t#J *9 ^35 J: First, it chooses the big prime numbers p and q 

5 MiSt^ ^j£l¥Z p (D&Mq so that q may give a clear-cut solution to p-1, 

(DMft&G q (Z>7n g 1 , g2$: and it uses the origin g1 and g2 of the partial 

>1V>T, (x 1 , x 2, group Gq of the digit q of multiplicative group 

y 1, y 2, z) GZ q 5 £^ Zp, it is (element of)(x1, x2, y1, y2, z) Zq 5 

3^£r X = g l x1 g 2 ^mod p , public key about a secret key, X=g1 x1 g2 x2 mod p 

Y = g 1 y1 g 2 ^mod p , Z = It is referred to as Y=g1 y1 g2 y2 mod p and Z=g1 z 

g l z mod pb-t&o ftme mod p. 

G q f£^^5Bf-^;$CE{i (u 1 , The cryptogram E with respect to plaintext 

u2, v, e) ct^gfe^ iEL m(element of)Gq constitutes of (u1, u2, v, e), 

< {^ffc&titc^-%Xl'±fo&iL } $; and the cryptogram made correctly satisfies 
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r C^Ltu 1 = g l r mod u1=g1 r mod p, u2=g2 r mod p, c=H (u1, u2), v=X r 

p , u 2 = g 2 r mod p , c = Y cr mod p, and e=mZ r mod p to a certain random 

H(u 1 , u 2), v =X r Y cr mod numberr. 

p, e=mZ r mod p $r#U£-f The decoding person who received this 

£o - (D^^X^^t X^tzM^r cryptogram calculates c=H (u1, u2) first, it 

^fte> £i\ c = H (u 1, u verifies whether a cryptogram fills verification 

2) £lt^U ^X&m&& type u1 x1+cy1 u2 x2+cy2 IDENTICAL-TOv (mod p), 

u 1 x1+cy1 u 2 x24cy2 = v (mod when not filling, it refuses decoding of the 

p) &Mtcirfri§fr : fe%klifi:L^ cryptogram, it calculates m=e/u1 z modp, when 

mtc£ ^^^at^(D^X filling, it obtains Plaintext m. 

}i N m= e /u l z modp £rfH¥ 
U ¥im^t#6 0 

[0 0041 [0004] 

±fE^!fl:^£ <fc *9 x ^^#f±. By the above-mentioned verification type, a 

Bt^^t^^Jf^^^Tc^^p^Cm^: decoding person can check that the maker of a 

^liotv^^i Srfflll&'t' 5 " <t cryptogram knows original plaintext m. 

/$ 5 ~C# So ^SE^Sr^fc $ ftv^ To the irregular cryptogram which does not fill a 

^lEt£^ J &JCiz.Ml'XUW.-%r$: verification type, it refuses decoding, therefore, 

fej§1r2><DX\ %t^%ltfi!ti<D as for neither of the useful information, an 

^&^#^#?>;fa&l\> Lri> aggressor is obtained. 

L&^£b N ^<D9%rjrX%kHiEjjfe However, when refusing decoding by this 

~Cfix ^.^(O^^M^^^^ir cryptogram verification method as a result of 

S^^n fc. ^H#(C^fLT^IIE verification, it is actually difficult to prove the 

Lfc^^X^^f^EXh^ fc Z information concerning [ not becoming V!=v 

1rt£t>t>, V = u l x1+cy1 u (mod p) and ] V, without leaking information in 

2 x2+cy2 (mod p ) t LT\ V any way as the cryptogram verified to the third 

=£v (mod p) <t&£>&l^r. t person having been illegitimate (mod p), i.e., 

Vlzm-tZmmZttbmm VIDENTICAL-TOul^^*^. 

[0 00 5] [0005] 

££>(C N E 1 G a m a 1 Rett? & Furthermore, the thing for which secret 

¥X*l>li Lff^T^tLScfc 5 fc* dispersion disperses a corresponding secret 



5/16/2005 



35/96 Copyright (C) 2005 The Thomson Corporation. 



JP2000-216774-A 




--o<7)^|!!Hf£3t LT> key to two or more partial secret keys to one 

Z>ffi6B&&&$5ftWlfc& 9 Wk public key, and it maintains this to two or more 

©IIJ^SH6<i»C^ffc U ttlRO decoding persons so that it may often be 

performed by the EIGamal code etc., to an 

(cj:^, L#^ilS:Sx.5AI[ irregular cryptogram which does not fill a 

<O^M^r^^WjfjLtct^(D^^ verification type in this code decoding method 

^7 ;££rti[7§-~C# 5 «fc 5 tC^"S L when the decoding person of the number which 

# V^tt^^-^Srjgffi^S j§ exceeds a threshold value cooperates and it 

£\ r. ©Bf-^tK-^JftfC. joV^T applies decoding with the threshold value which 

&E^£riSfc£&V^J: ofc^lE enables it to decode a cryptogram, since the 

teftitt£.tt LT, ttBESlOfe calculation result V of left-side u1 x1+cy1 u2 x2+cy2 of 

i2u l x1+cy1 u 2 x2+cy2 (7>|f^:^ a verification type becomes known to two or 

&W&<0'&^r1£\Z-$&fcX L more decoding persons, when the decoding 

£ ?fclMf£^fGL/c^ person who conspired with the aggressor 

^^SftfeLfcSMH::* exists, information is revealed to an aggressor 

{Cjf $fta*i§$&LT L£v\ and it cannot maintain the safety to a choice 

cryptogram attack. 



[0 0 0 6] [0006] 

L^VMtt##^^&(-ov^T About the decoding method with a threshold 

tt. fllfctf. Ifcfc V.Shoupand value 

R.Gennaro: Securing For example, paper V.Shoup and 

threshold cryptosystems R.Gennaro : 

against chosen ciphertext "Securing threshold 

attack , Advances in Cryptosystems against 

Cryptology-EUROCRYPT 98, Chosen ciphertext attack 

LNCS 1403, Springer-Verlag, ", Advances in Cryptology-EUROCRYPT' 98 

pp.1-16,1998 -Cfi^SJlfc* and LNCS 1403, Springer-Verlag, and pp.1- 16 

Xli, Mffc&]M$ltiu^rJ:%t&fc and 1998 Proposed system, it is shown under 

S&V^r kfcy y^A^7 #/\s<D assumption called a presence of a random 

%fl±b 5$i'ti2(DT~C7F&tiX oracle that it is strong to an adaptive choice 

V ^ 5 o cryptogram attack. 

[0 0 0 7] [0007] 

Lfrlsfe&bs v l/tf&jry 9 However, assumption called a random oracle is 



5/16/2005 



36/96 Copyright (C) 2005 The Thomson Corporation. 



JP2000-216774-A 



/i/£l^54Rj£ji % ifelbxtfflM very unreal. 

#J~C£> <9 x Jl/ff J*3ry 2 When a random oracle is replaced and used for 

ii$r<7>®j^KH<t#^kti5<^ the hash function considered that the usual 

y *>:x|15^^|cg#&;iT4£ffl collision is difficult, it can obtain no guarantee 

Lfdi^dfi, *©$^tt(:o about the safety. 

[0 0 0 8] [0008] 

[*WiS#FftLJ:5i-t"5ll [PROBLEM TO BE SOLVED BY THE 

M] INVENTION] 

rcDISf^jtDgftjil. It sets the objective of this invention to a 

Cramer-Shoup Rf-SHciiol^T* Cramer-Shoup code, it can verify the 

^HESlfCjoit Slit l£|lf|-^5tff S correctness of a cryptogram, without leaking the 

£r^#J$i E>i"£ £ & < % information about the value in a verification type 

<DEStt£r^liE~e^\ SfclfcfJE entirely, moreover, the thing for which the value 

^©{jt^lES^&V^ t £ttfL is correctly made when it is shown that the 

"Cl^SSMHc^ -tO^fi^jE b < value of a verification type is not rightful, proving 

fr^JSJc £ frfc h<DXfoZ>Z. b%:^ for a third person by zero knowledge proof 

^M$fiE^^cfcoT^H#{CfE Furthermore, when two or more decoding 

P|t5C^\ Jg(c^£(7>^7§- persons cooperate and verify, also as there 

^tffiffl/j] LT^fEi~3SI > aic > having been an irregular person in a decoding 

tl^^^ i£^IE##sWc£ LX person, the value of a verification type is 

&li£&(Dj&&%i-%%'liCi>M providing the cryptogram verification method 

" t ^^V^Hf-^^t^fE^ which it does not reveal to a decoding person, 

fe. ■?:<£>:/ p l?? J^WMWkfo^ either, its program recording medium, and its 

A 5 r t Kl apparatus. 

[0 0 0 9] [0009] 

[ftUB£#*«fc«>©¥&l [MEANS TO SOLVE THE PROBLEM] 

Cramer-Shoup Bf -^(^itS^ It carries out the power of the value of the 

^&f<DfetE£:<DW.$:, '&^r%<0 verification type at the time of decoding in a 

H&tf^^Hjf £&9#&V>ft$: Cramer-Shoup code with the random number 



5/16/2005 



37/96 Copyright (C) 2005 The Thomson Corporation. 



(CctoT^#^Ux ^(D^^M with which everyone of a decoding person 

LfcfcMW* 1 £ & 5 cannot know the value, and verifies the 

fEi~5 Ztteki Tflf -^\£<£>IE correctness of a cryptogram by verifying 

MSttSrtfcfE-^So r^SLfcT*^ whether the result of having carried out the 

5<tv^5tt^£r#ffctf-^ power is set to 1. 

f-cfc^, :£ff^#^fe;^?T;> Also when not filling a verification type by 

w t {CckoT. ^fiE^Srfjlfc £ performing calculation of carrying out a power 

ftV^a by these random numbers, by cooperation of all 

^fjBWite }£<D&^%iz i>M accountants by distributed calculation, it reveals 

- i: fifcv\ o£ 9 EMS to no decoding person, that is, the value of the 

'CfcV^'oii^ ft^lit 1 verification type before carrying out a power 

vMlS t & *9 . -?:(7){ii;^SL^"C^< turns into a value whose calculated value is not 

^^^faTV^/^ks ^(D^i* 1, when not rightful, the power of the value is 

%&tiX^Z>i&$:7F LTfHSlit carried out by the random numbers, therefore 

i -C&V^ t , Wtt^Xft Even if the value by which the power is carried 

Sr/^Lt ^^^^^ out is shown and it is shown that a calculated 

Wl<Dfctiti>< itft^jitt value is not 1, i.e., are not rightful, the value in 

S&^tWi&V^ front of the power is hidden, there is no risk that 

information may leak. 

[0 0 10] [0010] 

nA^)Sft?:P 1 ~ P n t It sets n persons' decoding person to P1-Pn, 

U #t£-^#P j ( j = 1 , 2, each decoding person Pj Q = 1, 2..., n) shall 

n ) fifS^ (Dfefflife w j have the inherent open value wj. 

W^i><Dk~tZ> 0 (xl, x2, (xi,x2 > y1 l y2,z) 

y 1 , y 2, z) eZq^L It disperses (element of)Zq 5 with the secret 

# VHK t ©®$fc#fifcifc{C <fc «9 # dispersion method of threshold-value t, let the 

tfcU llw j (C^f SMffi secret value (x1 j, x2 j, y1 j, y2 j, zj) 

(xlj, x2j, ylj, y corresponding to a value wj be the decoding 

2 j , z j ) Sr^^P j <DU person's Pj secret key. 

[0011] [0011] 

X j = g 1 x1j g 2 x2j mod Moreover, let (Xj, Yj, Zj) which becomes Xj=g1 x1J 

p , Yj=gl y1j g2 y2j mod g2 x2j mod p,Yj=g1 y1j g2 y2j mod p,Zj=g1 zj mod p 

p , Z j = g 1 2J mod p t£ £ (X Be the decoding person's Pj public key. 
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j , Y j , Z j ) P j Let X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and 

<D y £fflMb-tZ> 0 X=g l x1 g Z=g1 z modp be the public key which it uses for 

2 x2 mod p, Y = g 1 y1 g 2 encryption (X, Y, Z). 

^mod p, Z = g l 2 mod p& It shall connect by the safe communication 

<5 (X, Y, Z) fctin^ikK^ channel between each decoding person 

^54kHB$t£-f"5 0 Q^^'tik^ apparatus, and each decoding person 

#SgPeUte> ££fciIftB&'CJ£ apparatus shall utilize the broadcast type 

Wl £ tlXio V ^ ^ &^^^^Sfi^ communication channel it is guaranteed to be to 

ffi©£M©^-^#Scfij& s lRl— 0> receive the content with all the members 1 same 

F^SrSfl - t a s ftfEStL other decoding person apparatus. 

[0 0 12] [0012] 

E= (ul, u2, v, e) Sr Let E= (u1, u2, v, e) be the cryptogram of 

Cramer-Shoup ffH^vfr&fCck 9 plaintext m enciphered by the Cramer-Shoup 

Bt#{bS*Lfc¥S:m©Bt*i:i cryptographic method. 

1"5o tS-^flScfifi* ^^]LT A decoding person apparatus performs a 

^t^SL^^^c^SSrll^TL^ distributed random-number generation 

-SNfP j W§£gfii®$SHii[ r j £: procedure in cooperation, and the decoding 

#<5o r j fiSL^C r e person's Pj apparatus acquires the secret value 

Zq«rL#V^tO«*»»jfe rj. 

M<£ ^^tfcLfc^n^ fltw j Here, rj is a secret value corresponding to the 

l£*tJSi~ 5§HM"t?£>!!K ftE value wj at the time of dispersing 

©t + 1 Wi<oW&^M3)*h* ®^ random-number r(element of)Zq with the secret 

S-WMSte: <fc 9 . r dispersion method of threshold-value t. 

3 <£ 5 &ffi"Cfc<5 0 £fc> #ffc It is the value which can recover r with a secret 
W$fc&ffc^M<D&lS.frh. &&L decoding procedure from the secret values of 
##^1114 r ©flt«r*P5 r t ^ t+1 piece as desired. 

~0#"fx r f£OJ^±q5fcfii<7>:7 Moreover, each decoding person apparatus 

istf &t£Wkkti:Z>o cannot know the value of r, but r becomes the 

random integer of 0 or more and under q from 
the characteristic of a distributed 
random-number generation procedure. 

[0 0 13] [0013] 
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E £r3Hs Lfc^MJ-^f P j (D^ The apparatus of each decoding person Pj who 

fifiiU c=H (ul, u2) *5 received E are c=H (u1, u2) and Vj= (it 

J: V V j = ( u 1 x1ifcy1j u 2 calculates u1 x1 ^ 1 Vj2^^V 1 )*mod p.). 

x2j+cy2j v -i) rj mod p £§f^-f £ o Furthermore, it disperses Vj with a with a 

V j 4: L# IMS 2 t <7)$£ threshold value of 2t verifiable secret dispersion 

J: 9 ft ft method, and transmits the secret value Vjk 

L N ffiwk (k=l, 2, — , corresponding to a value wk (k = 1, 2..., n, k!=j) 

n x k j ) {c^tJ^-^S^^ffi through a communication channel safe for each 

V j k £r#ft##P k©gll: decoding person's Pk apparatus, 
^^ftfiff i££^LTi£fi1- After receiving Vjk from all other decoding 
<5 G fa(D&X (DjM-^r^t^Wifrb person apparatus, the decoding person's Pk 

V j k SrSff Lfc^L ^THf P apparatus transmits Vk to etc. of all decoding 
k (D^MHV k £^i£5il!{f j& person apparatus through a broadcast type 
teft^X^CDikX^'&^^WIL communication channel. 

^^fs'fSo &t^#Stl{iix: It verifies using Vkj that each decoding person 

ft Ufc^V k /^ELvMif^foS apparatus is the value with each correct Vk 

r^Vk j £JJ3l^T4£tE-f which received. 

So 

[0014] [0014] 

IELV><tlilg£tifcVk<Z>5^ If correct, it will choose 2t+1 piece among 

2 t + USSrSiRU JgftfiB* checked Vk(s), and it examines whether the 

«9 x 1 k + c y 1 k, x2 value V decompressed by the index part, i.e., 

k + c y 2 k lztt-$~Z>%M85@[7z the secret decompression procedure with 

¥Jlg(- J: 9 ^75 Lfclfiva* 1 [Z respect to x1k+cy1k,x2k+cy2k, is equal to 1. 

«f bv^^^S:W^<S 0 These 

*v^P>Hrflfc©jB*^t>*-ei^ If not equal 

^|{3l^^^7n^JflI$:#f5 3SL'. It repeats a secret decompression procedure 

&X<D2 t + 1 Wi<D$Lfy&t>& similarly in other combination, and about all 

(coV^TV^TtLt>^7n{ii:^ 1 (c 2t+1 piece combination, if the decompression 

b< &V>& £>f3:> ^-^4:^5 value is not all equal to 1, it will refuse decoding 

LX&±i~& 0 and will stop. 

[0015] [0015] 

#ti^#^fii5 5 ±iE¥ll@fct£o When each decoding person apparatus 

TfHff L/diHh 2 t + lf@J£* calculates according to the above-mentioned 
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^(DfeM^lE LVV k ^f), }f procedure, from the correct Vk(s) as desired 
&Wz*M~Z>W8S9&&7c¥ffi\z. more than 2t+1 piece, the secret-key 
<fc •) , V = ( u 1 x1+cy1 u 2 x2+cy2 decompression procedure with respect to an 
v'Vmod p &6 V£tS7iH~6 index part, v= (it can decompress V used as 
r£#-et3o r-T% V#p u1 x1+cy1 u2 x2+cy2 v 1 ) r modp.) 
£i£<!: LT 1 ££-|3jT*&V>& ?> Here, v should make p a method 
f4\ Cramer-Shoup &(cjo{t5 If in cooperation with 1 , also the value of original 
* * <D m HE 5£ u 1 x1+cy1 u 2 verification type u1 *i+cyi u2 *2«y2 in 
x2+cy2 tfMjf v <b £ 1^1 -e f* ft V \ Cramer-Shoup method 

V^l i-g-l^i In cooperation with v. 

(4s ^Jfeco^fE^;^ v b&fflX* When V becomes in cooperation with 1 on the 
h 5 #\ £ fc (4. SLi!t r 0 Tf other hand, whether an original verification type 
fcSjOvDVvf ti75 s "C$>S 0 is in cooperation with v, or 
Ix^^P), #|5:£Li&£#c;^JiI*C Or whether a random number r is 0, it is either 
£j£Lfcft*r *S0£&£4fe* of this. 

(4 1 /" q -Cfe <9 % -Hhb§v><Z) However, the probabilities that the random 
T*MIS-f 5*^tt5o^ot, number r formed in the distributed 
V# 1 £la l^"Cfo-5SI"n (cite, random-number generation procedure will be 
#*©tfcfB5tt v <b^lB)-C'feS set to 0 are 1/q. 
t &t£-fZ- t^X^^ 0 Since it is small enough, it can ignore. 

Therefore, when V is in cooperation with 1, it 
can consider in cooperation with an original 
verification type v. 

[0016] [0016] 

--t\ ^FIE £rfi8i < 'jjk ^rtgfrM Here, it assumes that there are a maximum of t 

A" t Av n -5 h$L1£1rZ> 0 Z.(Dt decoding persons who act irregularity. 

Ate, ( l ) ^jEfcBf-f-XE These t persons, (1) 

i-Z>W>Ui£.<Di$.Vtf 1 <b ft 6 i It makes it the value V of the verification type 

5 £fcte (2) jE^ift with respect to the irregular cryptogram E set to 

^XEKft-tzfam^mv 1. 

tfl ^i?»^J:5i;t5, <£> Or 

~»9©BW-eJbSH4Mfia»e>i& (2) 

Ifc1~3#£i0 s fe 9 #5. £T , It keeps the value V of the verification type with 

( 1 ) <D @ &) £r$c5b £ -12: <5 #> respect to the rightful cryptogram E from being 

(cite, fc<5 2 t + lfl©Vk^ set to 1. 
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V©f^ 1 t &<5 It can deviate from the above-mentioned 

ct 5 Ltetftitifthte^o L procedure for two kinds of these objective. 

a>Ue#e>, ^3E#»iBS:^«> First 

tc±X(Dm^r^mt^(Dm^ In order to let the objective of (1) successful, 

#3£firt s tti"Vk©tf£:403fl& you have to make it the value of V 

g £f<7) V k (D'ffi £^fEpTli6 decompressed from certain 2t+1 piece Vk set to 

mwiaoT^u 1. 

ttftli&?>i\ f&E>t£-fM^£fi However, all decoding person apparatus 

©V k ©H^o Tj5^ SSB including an irregular person apparatus are 

©Vk <EHK££3e-t-S - £ flT? before getting to know the value of Vk which 

^ftl^'T?, j&(O^M.^^^W(0 another decoding person apparatus takes out, 

V k d Mi~<5 ^Mffi S fc o since the value of Vk of a self-apparatus cannot 

&<DfrsflEtj:^^r%tfe ( 1 ) <D be altered after having to disperse the value of 

@#j£r^J5fc-^5w £ri 5 "T?#5o one's Vk with a verifiable secret dispersion 

^Sj5*Mi;fc:5fl|^l± 1 / q Xfo method and getting to know the value of Vk of 

9 x -Hfr'hcS V^(DT?^^-f 2) another decoding person apparatus, only when 

k&X%Z>o (2) <D^it the anticipation about Vk of another decoding 

{£§3LTfi> ^lE&lg^figfL person apparatus comes true, an irregular 

#\ ¥<D J: 5 ft^FIEfrfilEV k decoding person can attain the objective of (1). 

j£{f L <t L ~C ^lE^fi The probabilities that anticipation will come true 

t A"C£> <9 , 1&<D 2 t + 1 are 1/q. 

Atf^iSfiiE LVMitSr^ft LT Since it is small enough, it can ignore. 

V^5(7)"C,^/^< <fc t> 1 ii!9 fix Next, even if an irregular decoding person 

£TjELVMfi<7>2 t + HH©V apparatus transmits what kind of illegitimate 

k ^f>fi!c5i^ £3X5 w t &X value Vk about the case of (2), an irregular 

5 ftH'a frbV= 1 person is at most t persons. 

i 5 ^7c$ti5 0 Other 2t+1 person apparatus have transmitted 

the correct value, therefore, all the at least 1 
kinds can take the ensemble which constitutes 
of 2t+1 piece Vk of the correct value, and V= 1 
is decompressed from such an ensemble. 



[0017] [0017] 

ffif #(7)ii^{cov>rfi, V& 1 About leakage of information, when V is not 1, 

-?&v>i§-g\ £<D J: 5 ft u 1 to the value of what kind of U 1 x1+cy1 u2 x2+cy2 , it is 

x1+cy1 u 2 x2+cy2 <D»M LT t . as follows. 
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V = ( u 1 x1+cy1 u 2 x2+cy2 v - 1 ) r V= (one value of r which fills u1 x1+cy1 u2 x2+cy2 V 1 ) r 

mod p £r?i7h*t" r <Dj&ih>— o mod p becomes settled) 

(u 1 x1+cy1 u 2 Therefore, the randomizing of the value of 

x2+c y2 v - 1 ) r V^A (u1 x1+cy1 u2 x2+cy2 v 1 ) is carried out by r, even if 

it^ii, ^(Dy^yj^ikZ titc this value by which the randomizing was carried 
i\i&7F LX r Xy^y out is shown, the value before a randomizing is 

&tiZ>m<Di\lL f±2fitL&v\ o£ carried out by r does not leak, that is, the 

<9 if^fE^-Cfi, u 1 x1+cy1 information about u1 ^^ u2 x2+c y2 does not |eak 

u 2 x2+cy2 tc|B1-£lf #1 at all by the above-mentioned verification 

•flffiftv\, method. 



[0 0 18] [0018] 

£JLkJ:!9* roMd <£tUl> As mentioned above, without leaking the 

^IE£rft< ^^#^^g7Hf£> information about a secret key entirely, if the 

1/3 Thrift *b t£ s §$£$^M decoding person who acts irregularity according 

i~ 3 tff £r — tyMb'f'Z- bt£ to this invention is under all decoding persons 1 

< ^ W^^M^r^(OWjf)^^^X 1/3, by cooperation of two or more decoding 

Cramer-Shoup Bf ^rjjfe person, it can calculate a verification type 

<D%kU&b l^^tf>^fD:^;£rfH^ equivalent to the verification type of an original 

Z t &~*I$iXfo ^ iot> Cramer-Shoup cryptographic method, and, 

iiJ^^iliRBB^^:55:^{c^V\ therefore, can comprise two or more decoding 

Wlk^^^^^^'&W^W&iM person's code decoder strong against an 

ffc-t&^fcX^ 6 0 adaptive choice cryptogram attack. 

[0019] [0019] 

^±<D^fetetl^g 1 /S>n Av^<5 When n decoding persons are in the above 

^m^^m^ ±X approach, to n data for verification (V1.. M Vn) 

(D^^^^M^h^imLfcn^ which received each decoding person 

<D%kU.Ri : T—'? (V 1 , — , V apparatus from all decoding person apparatus, 

n ) LT > 2 t + 1 i©f it takes out 2t+1 piece data, it verifies whether it 

— P&WLVfcl,^ £>5$liES;£r satisfies a certain verification type. 

?iS"t"S^^/6^^IiE-^So When not satisfied, it performs this verification 

SL&Vv^fi, r(Z)^fjE£rn to all the 2t+1 piece combination that can be 

i@(c#LT©«9#5£T<£>2 t taken to n pieces. 

+ \^(D%&fy^t>^:kcj$\^X'tT Therefore, when not satisfying a verification 

9 0 ^(Dtcft^ ^fE^£rti/l L type, it has the disadvantage that computational 
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ftlvSHa fe^^tcoWtn iz complexity increases exponentially, to several n 

MLX, fh^*^^M(Ci#^P of a decoding person. 

[0 0 2 0] [0020] 

^ ^^^^S'J^II^C According to another viewpoint of this invention, 

^^^-^ffc: i SRbtHS-^j in the code decoding method by two or more 

?£(c4oV>T. &Wl<D%i'%r%'i£& decoding persons, it provides the cryptogram 

LX h^^ffifcft^&^ftX verification method and its program recording 

#, 1/3 Sl±<D^M^r^ medium of a code strong against the adaptive 

/S^iE^froT t>0^^fM~Cfc choice cryptogram attack which can be 

6 ck 5 jSi^^JjliRBt -^^t5fi: recovered even if it can perform calculation 

WUC&^fft^rtDWg-^rJC&Ujjfe efficiently also to many decoding people and the 

to itJ^CD:/ p if 9 Af2^^^: decoding person who is more than 1/3 performs 

£*§#W-5o BPfer©5IW©*J irregularity. 

©^^{c«t^iWf % £i\ ^t§^ That is, as means to reduce the computational 

<^(-3^5if^i!;£f£^t~5 complexity with respect to the number of 

^gkb LX^ W&MUfiityttz io decoding persons, by letting each decoding 

T^O^^fDiEStt^^-^S 1 person apparatus prove the correctness of that 

^fS^iEi^ ^ii"5)^^tctoT result by zero knowledge proof, it specifies an 

^E#£r#^L. jE^&t^-^ irregular person and, according to another 

<Dfy&Rl V^T^^^^mE^T viewpoint of this invention, performs verification 

bo -?r5"t"S^.i:(CctoTx % of a cryptogram first only using rightful data. 

-^^©^n(cit^!JLfcft^4"C By doing so, it can perform verification by the 

tltiESrfr:) ^ b & mfeXfo&o computational complexity proportional to 

t^tx w(7)^^V^5^^p|^|E several n of a decoding person. 

^fiiifsA^^Wca?), JflEfc However, in this case, since there are many 

febAs (C fljjlj amounts of communication, the zero knowledge 

#a##$S1t©th3l proof to be used is, efficiency is bad when 

WBCH^(D3 - K17— irregularity hardly happens. 

K b &<5<£ 5 When the correct cryptogram is received by 

<D{&?$iM&'xE£>^ It^^p^:^^ setting each decoding person's inherent open 

— K!7 — K-(?fc5r ££Sff^ value that the calculation result of each 

^fii 5 ^IIELx n — K!7— K'T? decoding person apparatus constitutes the 

te^M^<D^mftmmW&m coding word of a BCH code, and a 

fri~3 CI irfdctoTx IE Ll^Rf receiving-party apparatus verifying that a 
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■^^C$rS:fibfc^»^(c{±, iiff calculation result is the coding word, and 

Jt£$;ifc££^^#j&fH¥£: performing zero knowledge proof only when it is 

fir 5 ^ £ jfi* *Tii<!: ft 5 0 not the coding word, it becomes that it is 

possible to perform efficient calculation, with the 
amount of communication restrained. 

[0 0 2 1] [0021] 

Z<D%mzmti&. fF^-CtS If based on this method, the number of irregular 

?FlE%<Df&t± s 3 t + 1 > n £r persons which can be accepted will be to t 

mtc-f t A* Wife!}, £9 ft persons who fill 3t+1>n. 

MCiSi/^^^^fA^i It is unsuitable when a safe system with a 

£ti<5^a fcft^jji^~e£>5o higher tolerance is desired. 

^IE4f 1/3 £U± 1 / Moreover, it is as means corresponding to the 

2 fcffi<Dl&&\zttf&-f 5^S£ case where irregular persons are 1/3-1/2, 

UT. ?£lE%tffi%iJ££int£$fcEi another decoding person apparatus computes 

fi!l®t£^#S*a s tft^LT the distributed secret key which the irregular 

^©^E&tK^^ri^o^ifc^ decoding person has in cooperation with the 

2£H£3¥£ii 4£Hfli~<5 ^ t t£ case where an irregular person is specified, by 

iot, fcttfc;6^<7)^;E&tl opening to the public, although it also becomes 

^^fcftfroTIElxl^^&IH- bored, it solves a problem by enabling it to 

ftSri^ttSi^kt?) calculate the correct result instead of the 

w t iz X 9 . WM&ffllki'&o irregular decoding person. 

[0 0 2 2] [0022] 

Affcftft¥fNi»T©ffl 0 ~Cfo The detailed means are as follows. 

5 0 nA^ff S:P l~Pn It sets n persons 1 decoding person to P1-Pn, 

t #H-5§^f P j {ZM Hi and assigns the inherent open value wj to each 

^(DteMWw j 9 3 decoding person Pj. 

t <n£Wtfti- L^vMit It defines threshold-value t which fills 3 t<n. 

*5o (xl, x2, yl, y2, (x1,x2,y1,y2,z) 

z) eZq 5 £rb#Vvfji;t (D%& It disperses (element of)Zq 5 with the secret 

^^ffcfeMck 9#ifcU ffiw j dispersion method of threshold-value t, and let 

(x 1 j , x the secret value (x1 j, x2 j, y1 j, y2 j, zj) 

2 j , ylj, y 2 j , zj) corresponding to a value wj be the decoding 

P j <Dl$?$m t ir 5 Q person's Pj secret key. 
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Xj=gl x1j g 2 x2j mod Moreover, let Xj=g1 x1j g2 x2j mod p, Yj=g1 y1j g2 y2j 

p , Y j = g l y1j g2 y2j mod mod p, and Zj=g1 zj mod p be the decoding 

p , Z j = g 1 zj mod p 5 (X person's Pj public key (Xj, Yj, Zj). 

j, Yj, Z j) P j Let X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and 

<D^H$t£:i~£o X= g l x1 g Z=g1 z mod p be the public key which it uses for 

2 x2 mod P> Y=gl y1 g2 encryption (X, Y, Z). 

^mod p , Z = g 1 z mod p t£ It shall connect by the safe communication 

<5 (X, Y, Z) $rHf^{b(Cffi channel between each decoding person 

V^3£H!iHt"f~<5o #*<E>%t? apparatus, and each decoding person 

%BWt?$&. ££&iIfs8&'T?gc apparatus shall utilize, the broadcast type 

Wi £ foXi$ 9 x &'&^%^WJ&^ communication channel it is guaranteed to be to 

ifo<D^jik<D&^%^WLfcf*l^?> receive the content with all the members* same 

rt^4rS:^Si"5 " t ;^{£fiE£ii other decoding person apparatus. 

<Dt~tZ> 0 

[0 0 2 4] [0024] 

E= (u 1, u 2, v, e) %c Let E= (u1, u2; v, e) be the cryptogram of 

Cramer-Shoup R§-^\2/ftM <£ 9 plaintext m enciphered by the Cramer-Shoup 

Bf ^rit £ ftfc¥:£mOm#:S: t cryptographic method. 

i~5 0 tfi-§4f5£fiW:> l&^LT A decoding person apparatus performs a 

#ffca^£j##JiH£^Tb> distributed random-number generation 

-f-^fP j (D^MJiiM^\^r j £ procedure in cooperation, and the decoding 

#5 0 ^ w ~C> r j (iSLfgt r e person's Pj apparatus acquires the secret value 

Z q£L#vMttt ©^5>mfe rj. 

tci «9 #ffcLfc:||^tf\ fiSw j Here, rj is a secret value corresponding to the 

5|B&fil"eS>>!k ttit value wj at the time of dispersing 

<D t + 1 fi®8MKffi^5>^ random-number r(element of)Zq with the secret 

tg#¥JHc J: «9 . r SrlHl^# dispersion method of threshold-value t. 

5 J: 9 ^tt"CfcS 0 It is the value which can recover r with a secret 

SL^^^c^l'S^ttK^^, decoding procedure from the secret values of 

tttt r ©fitSrftiS n t t*X% t+1 piece as desired. 

1\ r tiO^iq^flfcD^:^ Moreover, each decoding person cannot know 

^ &38$C £ ft 5 0 the value of r, but r becomes the random integer 

of 0 or more and under q from the characteristic 
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of a distributed random-number generation 
procedure. 

[0 0 2 5] [0025] 

2fctc* i&fii^^t^WLliWjJj LX Next, all decoding person apparatus cooperate 

#tfc^^^f££^fr L N 45-tK# and perform distributed multiplication means, 

# P j ©iScfifilft^filLx 1 each decoding person's Pj apparatus obtains 

j ' , x 2 j ' , y 1 j ' , y secret value x1j\x2j\y1 j\y2j\ 

2 j ' Sr#S 0 --t SHSliS Here, secret value x1j' is a value obtained by 

x 1 j ' %Mr <t$$$5lix dispersing the product of a random number r 

1 <£>H£r L# VMit t tf)§^5Htfc and a secret key x1 with the secret dispersion 

iSfefc J: tr#P>4x5i[-C method of threshold-value t. 

*>0, ffit<£> t + UOflttt It can decode x1j' to r-x1 (mod q) which t+1 

jj^ox 1 j ' ^P> > r • x 1 person's decoding persons as desired have. 

(mod q) Sr^-^^S^t^pf it can decompress r-x2 (mod q), r-y1 (mod q), 

tEffcSo i^ilx 2 j ' , y and r-y2 (mod q) from the values of t+1 piece 

1 j' , y 2 j ' (Coi^T&IpI respectively as desired similarly about secret 

ZMft&Mto t + 1 m value x2j , l ylj', and y2j'. 
(DiMfrb, r • x 2 (mod q), 
r • y 1 (mod q ) , r • y 2 

(mod q)Srtt7c1-5r£#-0 

[0 0 2 6] [0026] 

E £r3cft Lfc4H|[-^fP j §£iit Each decoding person Pj apparatus which 

ft, c =H (ul, u2) Joi received E, it calculates c=H(u1,u2) and 

Xfi V j = u 1 x1J+cy1f u 2 Vj=u1 x1J+cy1f u2 x2f+cy2/ V ,j mod p, it transmits Vj to 

v^mod p £rfH¥L. ifo^Mii all other decoding person apparatus through a 

ft SS^ril ©a[## broadcast type communication channel. 

^g^V j £ri£fli"f~<5o ^{-x Next, each decoding person apparatus checks 

#llf*filtt, (V 1 , V that the index part of (V1..., Vn) is the coding 

n) <Dffi&g{lifiBCHtt^r<D= word of a BCH code. 

- K!7— Kt$)5: £ SrflHR-J- The index part of (V1..., Vn) is not the coding 

So (VI, Vn) <D$£W% word of a BCH code, when it becomes clear 

^BC Hft^rtD =i — K V — K"C that it is not correct, it is each decoding person's 

lEL<^^^tt>WML Pj apparatus, it proves to another decoding 
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fc^£\4Mg-§-#P j <D$£\HtlZ s person by zero knowledge proof, without 

Vj^ui x1 f +cy1j " u 2 x2f+cy2 'v- ,j leaking the information concerning [ that Vj is 

mod ptf>tf»*tmT-fe5r t the calculation result of U 1 x1/+cy1j 'u2 x2/+cy2r v- ,j 

£ x 1 j ' , x 2 j ' , yl mod p, and ] x1j , ,x2j , ,y1j , ,y2j , ,rj. 

j ' , y 2 j ' , r j 



[002 7] [0027] 

fEIHKffclx" lstzM^% P j fi^F It considers that the decoding person Pj who 

jE#"C$>5 -^r^^F failed in proof is an irregular person, another 

lE^'Cfc'S^UiL^OS^'fitx 1 decoding person apparatus recovers secret 

j ' , x 2 j ' , y 1 j ' , y value x1j\x2j , I y1j\y2j\rj of the deviation person 

2 j ' , r j ^rftiico^^-^^g who is the irregular person using a secret value 

ri s 8HifH0f6#|g£:ffil^-ClHJ8l recovery procedure, and it exhibits the correct 

UjELVV j ©ISSSr&W-rSo value of Vj. 

^fl^ftfcjELVW j <£>{it£r*a It includes the exhibited correct value of Vj, it 

lEUV^ (VI, Vn) obtains correct (V1..., Vn). 

^t#-5 0 (VI, -, Vn) <om After the index part of (V1..., Vn) checks the 

&%tf1EL\<^ t ^ ^— K7— correct thing and that it is the coding word, it 

K"C&5;i t ZHUMl'tc^ it decompresses a value V with the secret 

Z>&&jM7u^Mte <fc decompression procedure with respect to an 

<9, ffiV^TC-rSo index part. 

^gfiVz5 s 1 fc^p LV^iS^St Each decoding person apparatus 

gH^x t£L< &v>&P>fftg-l§-£r It examines whether Vis equal to 1, if not equal, 

U"C#ih't"'5 0 it will refuse decoding and will stop. 

[002 8] [0028] 

^ Lvft&ff x #^-^-#P j CO If these etc. come to be by carrying out, each 

SsSlliD j = u 1 2i mod p ^rff- decoding person's Pj apparatus 

£U tik&Mmitffitck <om<D It calculates Dj=u1 zj mod p, it transmits to all 

^kTO^-^-^^g^^ff 1-£ 0 other decoding person apparatus according to a 

D j 2r^ff Lfc&^-^^^lifi broadcast type communication channel. 

(D 1 , D n) When verification of the coding word similar to 

(VI, ••, Vn) izjtf LTfr having carried out to (V1 .... Vn) is performed to 
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otc<DkWlffi<D*— K!7— K© (D1..., Dn) and irregularity is detected, each 

^lE&'ffVV ^FIE^rMttJ Lfc^ decoding person apparatus which received Dj 

^(cfil^l^^^^pfigliE^^rtTo performs zero knowledge proof similarly, 

T^I&#£r#AEiL, jELV^D j specifies an irregular person, and recovers the 

(D^&W&WM&^M&FR^X correct value of Dj using a secret value recovery 

©Hi^o procedure. 

[00 2 9] [0029] 

#tS##^fifi. jE Ll^ (D 1 , From it being correct (D1..., Dn), with the secret 

Dn) fab* if^SRtc^fi" decompression procedure with respect to an 

5©&tK7C^J(IfcJ:oTD= u index part, each decoding person apparatus 

l z mod pStISCt&Lx 01=6/ decompresses D=u1 z mod p, calculates 

D mod p ^rff^LT^ y± — m=e/Dmod p, and decodes Message m. 

v J m£tl7H-'5o When each decoding person apparatus 

^±fB#Jii(C^oTft^U7t^ calculates according to the above-mentioned 

£\ 2 t + 1 MSk±<DHM<DAE procedure, from the correct Vk(s) as desired 

UWkjJ^, ¥£W%fc%S1rZ> more than 2t+1 piece, the secret-key 

S^S^T&^IKfCck ^V=(u decompression procedure with respect to an 

1 x1+cy1 u 2 x2+cy2 v -1j r mQd p jndex part jt can d ecom p ress V USed as 

ft«V«rtl[5ci-6rfc#-(?# V=(u1 xl+cy1 u2 x2+cy2 v 1 ) r mod p. 

So V&p$ritekl>X Here, if V makes p a method. 

1 t & W\ X & & ?> f£ ^ And is not in cooperation with 1, also the value 

Cramer-Shoup ftfc&ttS** of original verification type u i x1+ <^ U 2 x2+c y 2 in 

(D4&fD£ u 1 x1+cy1 u 2 x2 ** 2 <D Cramer-Shoup method 

ttt> v £1^1*1 V\, —2^ In cooperation with v. 

1 k&mbt£Z>W&tt* On the other hand, when V becomes in 

5fc 0> H S5E v £ Ir] "C fc 5 cooperation with 1 , whether in cooperation with 

ii\ otitis SL^r^OffcS an original verification type v, or 

d^©v^i*ixA^$>So Whether a random number r is 0. 

^ffcSL»dfefiK¥IE"C^B)c It is either of this. 

LfcSJ&r ir&Sfll^Pfil However, the probabilities that the random 

/qtfo^ +#/h£v^<D-C$$ number r formed in the distributed 

ffi^S^i^^So ^ot, V random-number generation procedure will be 

^ 1 k&mx+h&m^tat, # set to 0 are 1/q. 

5f5C9$£ffl:^;fi v £ ^|pl"t?fe5 <h Since it is small enough, it can ignore. 

E/£t^i:i s t*t5o Therefore, when V is in cooperation with 1, it 
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can consider in cooperation with an original 
verification type v. 

[00 3 0] [0030] 

£ - 1\ ^FIE&rfli!i < ^-^f^ift Here, it assumes that there are a maximum of t 

A" t AV N <5 h$Ll£.irZ> 0 ^<D t decoding persons who act irregularity. 

Ait, ( 1 ) ^jE&Bf-^E These t persons, (1) 

-fS^fE^coffiV^^ l bfe&£. It makes it the value V of the verification type 

5 ifcfcfi ( 2 ) IE^& with respect to the irregular cryptogram E set to 

Bt^EtC^f-rS^IE^tV 1. 

# 1 fc*S>fcv*J: p{c-T-5> Or 

~ii«j©B«j"c±iB#iiS35>e>3a (2) 

I^i"S^-a 19 #5 0 t It keeps the value V of the verification type with 

tefrb, :£"Ctf>1S-^f^g<DtH respect to the rightful cryptogram E from being 

^(iBCHffOn- K17— K settol 

#&3lEt£ «to*C^IE$H-5fci?) % It can deviate from the above-mentioned 

jE&ffllta s #£'t" 5 iNHi> ^ procedure for two kinds of these objective. 

ZE&iii^^ftW 1 /37fc?ii&£> However, the output of all decoding person 

fif> ^^^Ht&r^ftr^S^i/J 5 apparatus can detect the presence, if an 

"C£5 0 •€:<£>«£ p&^aicWu illegitimate value is under whole 1/3 when an 

# * ©^-^•^•fi^^q^ljE^ J: illegitimate value exists since it is verified by the 

<9 ttiJjW<DlE t £ £f£Bj3-f 5 <£> coding word inspection of a BCH code. 

X\ ^jE&filL&rfcB^ Lfc^iE# In such a case, each decoding person proves 

fijBEf^Kc^afcL^ l^^tiz-So the rightness of an output value by zero 

knowledge proof, therefore, the irregular person 
who outputted the illegitimate value fails in 
proof, it is eliminated. 

[0 0 3 1] [0031] 

iff&Wfll&Klo^-tfi. V#l About leakage of information 

"C&V'SHK b*<D i. o ft u 1 When V is not 1, to the value of what kind of 

xucyi u 2 x2+cy2 ©ttfcit t> u1 x1+cy1 u2 x2+cy2 , it is as follows. 

V= (u l x1+cy1 u 2 x2 " cy2 v- 1 ) r V= (one value of r which satisfies 

mod p fc-f r (Djt^-o u1 x1+cy1 u2 x2+cy V 1 ) r mod p becomes settled) 

±fS^fE^fe"Cfi, Therefore, by the above-mentioned verification 

u l x1+cy1 u 2 x2+cy2 CiM-f 5tf method, the information about u ^^ u2 ^ 
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KfflHt*V\, »± J: 9 , does not leak at all. 

dco^^d ititf. ^IE£r#< As mentioned above, without leaking the 

^tMIft»l/3*f information about a secret key entirely, if the 

t£ht£* ^£it(£§B-t~<5if $ft£r decoding person who acts irregularity according 

—%)M £>i~^ <t & < » to this invention is under all decoding persons' 

%<DWjJjIz£iX&%:<D 1/3, by cooperation of two or more decoding 

Cramer-Shoup B%-%jjfe(D%kB: person, it can calculate a verification type 

^ t ^^(D&fi&Z&iftW* t~<5 ^ equivalent to the verification type of an original 

kfcpJflgXfoV, cfcoT. 3Sfk Cramer-Shoup cryptographic method, and, 

KlilJRRH^^:5^^^^V\ ^ifc therefore, can comprise two or more decoding 

^^^©^^S^frSfcSr^fijc"^ person's code decoding method strong against 

5 % 5 0 an adaptive choice cryptogram attack. 

10 0 3 2] [0032] 

— ±fB^Sfc*SV^-C\ BC On the other hand, for the above-mentioned 

H$Ft§-cQ3— KI7— KtfeSEStfr means, it does not conduct the coding word 

frT> ^c^&f&iiE^^rH^TL inspection of a BCH code, it always performs 

X^fJE^&tfc'ni U> fi!l<£>^7^# zero knowledge proof and specifies an irregular 

ti l H$>?} LX : £<DJflEti;%i J %r%& person, it computes the distributed secret key 

^o^ifc^^iitr^ttl 4£HI which another decoding person cooperates and 

irfcioT^ T&ft the irregular decoding person has, it opens to 

©^jEft&^^cfUsoTjEL the public, although it also becomes bored, 

V\feS:£rtH^ 5 r £#^#5 instead of the irregular decoding person, the 

<DX^ 1/2^M<D^1E^{ZM correct result is calculable, therefore, it can 

j£~t~<5 31 1 fcXi* <5 (^^Of^lE respond to the irregular person of under 1/2 (in 

b V ^ n £ fi^^C^'C^:^ order to decide by majority that zero knowledge 

'pf£< t h 1 /2 (D proof is correct, the decoding person of 1/2 at 

6 WttlE b < telftittte bft least must be correct). 

[0 0 3 3] [0033] 

[&W<D%M<DJ&M1 [EMBODIMENT OF THE INVENTION] 

1 Example 1 

SXTfc, Z.<D#9l<D%i—<D&'}& Below, it demonstrates the cryptogram 

W'Vfo&Wa^rX&niEjjfefco^ verification method which is the first Example of 
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Xt&$lirZ> 0 0 1 J: 5 £ this invention. 

Be ^tfftSfc^fSefi 1 lTrfNc^ The cryptogram made with the cryptogram 

titctig-^rXfe&^^Wl 2T* maker apparatus 11 as shown in FIG 1 is 

tS^£ft5ot6^4fil£fi 1 2T\ decoded with the decoding person apparatus 

iELv^st^r^ c ^v^ ^ b, ffi^iz 12. 

tl-^JSiS^S w £ SriBllj" S fc If it is not the correct cryptogram with the 

^HE^h^St 1 3t\ decoding person apparatus 12, in order to avoid 

53} 5 $Sftfc©T*fc5i^S: carrying out decoding refusal voluntarily, it 

^II _ t"2)o verifies whether decoding refusal is appropriate 

with the verification person apparatus 13. 

[00 34] [0034] 

V > £ £ ttMW p , q ^ & 9 » There are big prime numbers p and q now. 

q P - 1 £#J D -9J 5 © £ "f Q shall give a clear-cut solution to p-1 . 

<5o Gq(7)7tg 1, g25:7>' It chooses the origin g1 and g2 of Gq at 

¥MZ-miR-f 5o X=gl x1 g random. 

2 x2 mod p , Y - g 1 y1 g 2 Let X=g1 x1 g2 x2 mod p, Y=g1 y1 g2 y2 mod p, and 

^mod p , Z = g 1 z mod p $r Z=g1 z mod p be the public key which it uses for 

Sg^ik^Mte^^ZteM^bi- an encryption procedure. 

6 0 u:t\(xl, x2, yl, Here, it considers it as (x1,x2,y1,y2,z)(element 

y2, z) <=Z q 5 kirZ Q & of)Zq 5 . 

Mttfi4*gB'*9 ^ — * £ Public key shall be exhibited with p, q, g1, and 

P > q > g 1, g 2 k JkiZfefM g2 as an open parameter. 

£ tbT l ^ 5 1> <£> b~$~Z>o * fc© Moreover, the secret key shall be stored on the 

^$£fi1S^#S*iL£> ^ * y ±{£ memory of a decoding person apparatus. 

[0 0 3 5] [0035] 

X, Y, ZSr^WfiitLfc After, receiving cryptogram E= (u1, u2, v, e) of 

Cramer-Shoup Rf-^f&Jc J: <9 plaintext m enciphered by the Cramer-Shoup 

Bf $ tltc¥-Xm<DWm>JCE cryptographic method which used X, and Y and 

= (ul, u 2 , v, e) £r|H Z as public key as shown in FIG 2, (S1) and a 

2 (CTF-fck 0 {cSHf \^t^k (S decoding person apparatus form a random 

1 K r number r, and they are (S2), c=H (u1, u2), and 

fifcL (S2h c=H (ul, u V= ((S3) which calculates u1 x1+cy1 u2 x2+cy2 v" 1 ) r 

2) Joj:t;v= (ul x1+cyl u2 modp.). 



5/16/2005 



52/96 Copyright (C) 2005 The Thomson Corporation. 



JP2000-216774-A 



* .j i t.. 



x2+cy2 v" 1 ) r mod p£:fM£~t"<5 If V becomes one, it will consider this 

( S 3 ) o V 1 ft h }£ N r. ©Bt cryptogram as a pass and will perform (S4) and 

^XZ&fa iL(S4), decoding calculation (S5). 

*«rfT5 (S5) 0 

[0 0 3 61 [0036] 

V as 1 -e<c V ^ ft P> tf^te t f If V is not 1 , it will consider it as a rejection. 

<5 0 ^H#^^F^|&"efo6 ^ t In order to prove that it is a rejection to a third 

£fE^i~<5/c:#>, \fy b ^ 5: y person, it uses bit commitment function BC(), it 

M^hBMfcBC () SrffiV^T, exhibits BC (r). 

BC (r) §r^^f5o w©tf There are some which are depended on 
y b^t ^ y hit Pedersen in this bit commitment function, for 

Pedersen }wj:5t> example. 

(Oifih^o BP*>* SUBcs£r£fi5c That is, it forms a random number s, it 

UBC(r, s): = g r h s rHod calculates with BC(r, s):=g r h s mod p. 

p h^%1rZ>o --tg, hfi G and h are here under Gq whose discrete 

g &tf£.b1rZ) h(DMWttt$frt^ logarithm of h which uses g as a bottom is 

^tfeSi5^Gq©7ct^ unknown. 

[0 0 3 7] [0037] 

^(D^k, BC (r, s) £r^J& After that, r which comprises BC(r,s), it 

t^ri, temmx, YSrflffifc comprises public-key X,Y. 

t5xl, x2, yl, y2£r Use x1,x2,y1,y2. 

fflV^t(u l x1+cy1 u2 v * 1 ) The result of having performed calculation used 

r mod p ft 5 ff-Jf £??o fc^m as (u1 x1+cy1 u2 x2+cy2 V 1 ) r mod p is V, it proves to a 

jO*V~e£><5r.££\ r, x 1 , third person by zero knowledge proof, without 

x 2 , y 1 , y 2 KKH-SSHS leaking the secret about r,x1,x2,y1,y2 (S6). 

^^Pf^mE^'^^ The following procedures perform this zero 

Hif^fEBJ-f 5 (S 6) 0 knowledge proof. 

[0 0 3 8] [0038] 

J^T'Cfix g , h £r x g SrJiEi: Below, it carries out g and h the origin of Gq 

i~5 h <DffiWittWLi)S&lSi~£foZ> whose discrete logarithm of h which uses g as a 

J; 3^Gq(D%i:t5o H^Mf bottom is unknown. 
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3§f!(2> SLifta , a l , a 2 , A decoding person apparatus chooses random 

bl, b 2 £: Z q J; 9 iltR U numbers a, a1, a2, b1, and b2 from Zq, r=g r h a 

R = g r h a mod p mod p 

R X 1 = R x1 h a1 mod p RX1=R x1 h a1 modp 

R X 2 = R x2 h a2 mod p RX2=R x2 h a2 modp 



R Y 1 = R y1 h b1 mod p RY1=R y1 h b1 modp 

R Y 2 = R* 2 h b2 mod p RY2=R y2 h b2 modp 

^5R, RX1, R X 2 , RY It sends R I RX1,RX2,RY1,RY2 used as this to a 

1 , R Y 2 ^tikfE^t^W^^ttt verification person apparatus. 

-T5o 



[00 3 9] [0039] 

£?>M, Ig-^fStLteSlJ&w 0 Furthermore, a decoding person apparatus 

$rZq<t?)7 >^ AfciltR L> chooses a random number wO from Zq at 

K = g , L=g*° mod p random, k=g, L=g w0 mod p 

£^jffi#i$eg^;i£f ; H"<5o ^IfiE It sends these to a verification person 

e O&iT^e 1 &Z apparatus. 

q<tU7y^ -MciiiR LT A verification person apparatus chooses eO and 

B = K e0 L e1 mod p e1 from Zq at random. 

B=K e0 L e1 modp 

&fr£ LTB SrttWJSa^afe It calculates these and sends B to a decoding 

#"^-5 0 person apparatus. 



[0040] [0040] 
1K-^#$<fLf4SlJ&w 1 ~w 1 8 A decoding person apparatus chooses 

^Zqi^y A(Cj1IR random-number w1-w18 from Zq at random, ti 

Ti = g 2 ^ mod p =gi w1 g 2 w2 modp 

T 2 = gi w3 g2 w4 mod p T 2 =gi w3 g 2 w4 modp 

T 3 = g w5 g w6 mod p T 3 =g w V 6 modp 

T 4 =R w1 h w7 mod p T 4 =R w1 h w7 modp 

T 5=R w2 h w8 mod p T 5 =R w2 h w8 modp 

T 6 =R w3 h w9 mod p T 6 =R w3 h w9 modp 

T 7 =R w4 h w10 mod p T 7 =R w4 h w10 modp 
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T 8 = 


g Wl1 


h ^ 2 mod 


p 


T 8 =g w11 h w12 mod p 


T 9 = 


g w13 


h^mod 


p 


T 9 =g w13 h w14 modp 


Ti 0 = 


g w15 


h^mod 


p 


iW'h^modp 


T« = 


g* 17 


h^mod 


p 


Ti^g^h^modp 



T 12 = u 1 

-w5 



w11+cw15 



U 2 



w13+cw17 v T 12 =u1 w11+cw15 u2 w13+cw1 V w5 mod p 



mod p It calculates these and sends to a verification 

£ff#L~C\ 1&fiE#^g^:i£ft person apparatus. 



[004 1] [0041] 

^fifix e 0, el £rtl A verification person apparatus sends eO and 
L^i£tti~5 0 e1 to a decoding person apparatus. 



^ , B = K e0 L e1 A decoding person apparatus is B=K e0 L el modp. 

mod p It checks that these are formed, it stops proof, 

7^j&<9£or k&$m>L, when not formed. 

^fc&V^^tefiE^^^ it^ When this is formed, it is a decoding person 

5 C Ztbfcf&ViL^i§&. apparatus. 

#Sfif± Z1=w1+e0 and x1 modq 
zl=wl+eO*xl mod 



z 2 
q 

z 3 

q 

z 4 

q 

z 5 

q 



= w 2 + e 0 • x 2 mod Z2=w2+e0 and x2 modq 

Z3=w3+e0 and y1 modq 

= w3 + e0-yl mod Z4=w4+e0 and y2 modq 

Z5=w5+e0andr modq 

= w4 + e0 * y 2 mod 
= w 5 + e 0 • r mod 



z6=w6 + e0*a mod Z6=w6+e0anda modq 
q Z7=w7+e0 and a1 modq 

z7=w7 + e0*al mod Z8=w8+e0 and a2 modq 
q Z9=w9+e0 and b1 modq 
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z8=w8+eO-a2 mod 
Q 

z9=w9 + eO*bl mod 



z10 = w10+eO • b2 mod Z10=w10+e0 and b2 modq 

q Z11=w11+e0 and r-x1 modq 

z11 = w11+e 0 • r • x 1 Z12=w12+e0 (a-x1+a1) modq 

mod q Z1 3=w1 3+eO and r-x2 modq 

z 12 = w12 + e 0 (a • x 1 + 
a 1 ) mod q 

z 13 = w13+ e 0 • r • x 2 
modq 

z 14= w14+ e 0 ( a • x 2 + Z14=w14+e0 (a-x2+a2) modq 

a 2 ) mod q Z15=w15+e0 and r-y1 modq 

z15 = w15+e 0 • r • y 1 Z16=w16+e0 (a-y1+b1) modq 

mod q Z17=w17+e0 and r-y2 modq 
z 16=w16 + e 0 (a • y 1 + 
b 1 ) mod q 

z 17= w17+ e 0 • r • y 2 
mod q 

z 18= w18+ e 0 ( a • y 2 + Z18=w18+e0 (a-y2+b2) modq 

b 2 ) mod q It calculates these and sends z1-z18 and wO to 

SrfHS LTzl~zl'8SoJ:tJ c a verification person apparatus. 

[004 21 [0042] 

tfefE4?Ssfif3\ Verification person apparatus, Ng* 0 modp 

L = g w0 modp d z1 g 2 z2 =T 1 X e0 mod p 

g 1 21 g 2^= Ti X e0 mod p Gi z3 g 2 z4 =T 2 Y e0 mod p 
gi z3 g 2 z4 =T 2 Y e0 mod p 

g 25 h z6 =T 3 R e0 mod p G^h^Ta R 00 modp 

R z1 h z7 =T 4 (RXl)°°mod R z1 h z7 =T 4 (RX1) e0 modp 
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p R 22 h z8 =T 5 (RX2) eo modp 
R^ h z8 =T 5 (R X 2 ) ^mod R^h^TsCRYI^modp 
P 



veO. 



R z3 h z9 =Te (RY1) ^mod 



eO. 



R z4 h z10 =T 7 (RY2) e0 mod R z4 h z10 =T 7 (RY2) e0 mod p 

G z11 h z12 =T 8 (RX1) e0 modp 
G z13 h z14 =T 9 (RX2) e0 modp 



212 _ 



P 

_ Z11 K 

^mod p 

„ 213 v, 214 

g n 

^mod p 

„ 215 l 216 

g h 
e0 mod p 



217 



g- h 

e0 mod p 

^211+0215 



G z15 h z16 =Tio(RY1) eo mod p 



eO. 



218 _ 



T 8 (R X 1 ) 

T 9 (R X 2 ) 
T 10 (R Y 1 ) 



T 11 ( R Y 2 ) G z17 h z18 =Tn (RY2) e0 mod p 

u1 2l1 + cz15 u2 2l3 + c2l7 v -25 =Ti2V e0 mod p 

j5 — 

V 



u 2 z13+cz17 v = T It verifies that these are formed. 



^V^mod p 



[0 0 4 31 

±.(Dmmmm\i. schnon- m 

V, X, Y, R, RX1, RX 
2, RY1, RY2£!EL<f£ 
fife Lfc»£fc<D*tfeE£#j£»> 
±^><DX\ —^X*i>j$*9xLtzte 



[0043] 

The principle of the upper proof is Schnorr. It is 
the same as that of a signature. 
Since a verification type is formed only when a 
decoding person apparatus makes correctly V, 
X, and Y, R, RX1, RX2, RY1 and RY2, when at 
least one is not formed, it considers verification 
as failure. 



[*&60i|2] [EXAMPLE 2] 

WT(c> - <DWRV>1&—<D%1fc Below, it demonstrates the 2nd Example of this 

#iJiC-ov^tftl?Jli-5o invention. 

i~ <fc 5 ^Rf-^-fNc^^iI Hi As shown in FIG 3, the code maker apparatus 

P 1 ~ P n (D&^W 12 11 , and each apparatus 12! -12 n of decoding 

i~12„i: fetk&mmia & 1 person P1-Pn are connected to the broadcast 
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4{c:g^£tL> £fc^Hf^g type communication channel 14, moreover, 

1 2i ~ 1 2 n fiftiE{C35c£& decoding person apparatus 12i -12 n is 
iifsKS 1 5 T?§^£ft"CV^5 0 connected by the mutually safe communication 

channel 15. 

[00441 [0044] 

V^;fc# p , q ?) , There are big prime numbers p and q now. 

ql±p - 1 £r#J0i2J5 h<Dk~fr Q shall give a clear-cut solution to p-1. 

So Gq(D7tg 1, g2$r7^ It chooses the origin g1 and g2 of Gq at 

^AfcSSW-So nA© random. 

Iff ^Pl^PniU First, it sets n persons' decoding person to 

7MfP j (j=l, 2, n) P1-Pn, to each decoding person P j (J = 1,2..., n) 

L N @^©4^li8fiiw j £rfPJ It assigns the inherent open value wj. 

9 3 t < n SrSlfci" L# It defines threshold-value t which fills 3 t<n. 
VMS t £rX&K><5o ^^-§-#^6 'All decoding person apparatus perform the 

fi, Lawful t (Dft^CRM^tfL distributed random-number generation 

^JKSrSlHlUfTU H^M^P j procedure of threshold-value t 3 times, the 

<b^W&Wt£$L ( x 1 j , x 2 decoding person's Pj apparatus acquires a 

j, y 1 j, y 2 j, zj)£r secret value (x1 j, x2 j, y1 j, y2 j, zj), let this be 

Z-ti&W.-^r^t P j <Q$$5Si the decoding person's Pj secret key. 

i-TSo Xj-gl x1j g Moreover, let Xj=g1 x1j g2 x2i mod p, Yj=g1 y1j g2 y2j 

2 x2j mod p, Y j = g l y1j g mod p, and Zj=g1 zj mod p be the decoding 

2 ^ mod p , Z j = g 1 zi mod person's Pj public key (Xj, Yj, Zj). 

p£5 (X j , Y j , Z j ) & Furthermore, let X=g1 x1 g2 x2 mod p, 

®##P j 0>4>M«*-*-5 o $ Y=g1 y1 g2 y2 mod p, and Z=g1 2 mod p be the 

?>}c x X=g l x1 g 2 x2 mod p, public key which it uses for an encryption 

Y = g 1 y1 g 2 ^mod p , Z = procedure. 

gl z mod p $rBf^¥IHfCffi Here, (x1,x2,y1,y2,z)(element of)Zq 5 is a 

V^S^^iiii:i~5 0 (x random number decompressed by a secret 

1, x2, y 1, y 2, z ) e decompression procedure from t+1 set of secret 

Z q 5 \-i&M<D t + 1 %R<D%&!$ values (x1 j, x2 j, y1 j, y2 j, zj) as desired. 

jjf(xlj, x2 j, ylj, There is the method of depending on Pedersen 

y 2 j , z j ) i^P), SMfct^TC in the number generation procedure of part 

¥IH{^ J: <9 tS^^tiSSLilrefe scattering which forms such a random number, 

So r©J:5fta»«r3feJ*i"5 forexample. 

^ifcSL^fi!c¥IIS^tt,fif!lx.fdf, Below, the distributed random-number 
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Pe d e r s e n(ci5 jjfefi generation procedure is shown. 

[004 5] [0045] 

OU^-^&WffllM-i, [H 3 As shown in FIG. 3, the safe communication 

(Ctf L/cct o tc^^^iiffSS l channel 15 shall be between each decoding 

5tf&£h<DkL^ £/c, person apparatus, and each decoding person 

THf^gteu ^L<D±S.<DU^ apparatus shall utilize the broadcast type 

^fi^lH— <£>F*iS£:3H§ 1rZ>Z- communication channel 14 it is guaranteed to 

t tffikM £tiZ> ^^Mii If S& 1 be to receive the content with all the members' 

4 ^r^ijffi "C#<5t>£><l:"t"5o same other decoding person apparatus. 
S-l) Pj©gtliZq-hO S-1) 

~oco^]g^;f (x) =a 0 j+a The apparatus of Pj chooses two polynomial 

liX + '-'+atiX^cfct/gj (X) f(X)=aoj■+a 1j X+...+atjX , and, and g t 

= b 0 j+ bijX + -+ btjX* (XJ^oj+b^+.-.+b^X* on Zq at random, it 

V? A(c51tR U l-Pk <D*£W transmits fj (wk) and gj (wk) to each apparatus 

(k=l, 2, n, k = j (k = except for 1, 2..., n, and k=j) of Pk through a 

£rl&<) ^ f j (wk) io£X$ safe communication channel, 
gj (wk) ^i^ffiSS^ 

[0 04 6] [0046] 

5 - 2 ) P j <Dmm± i = 1 , S-2) 

•", t izft LT Cjj= g 1 aij g 2 The apparatus of Pj should receive i= 1..., t. 

bij mod p £fr^U Wti£mm& It calculates Cij=g1 aij g2 bij mod p, it transmits to 

$&%MCXi&(D£LX(DMS§r%-B all other decoding person apparatus through a 

W^&iS'tZ) o broadcast type communication channel. 

S-3) ftl<D±X (D^^BW. S-3) The apparatus of Pk which received Cy 

ri^Cy &5c:fB LfcP k<D*£M. from all other decoding person apparatus 

llwki=wk i mod q t LX verifies that gl^^^Co)** 0 'C^ 1 ...cy" 

g 1 5(wk) g 2 gj(wk) =Coj wko . c m od pis formed as wki=wk' mod q. 
ijW ki ... Ctj wkt mod p^^^^o 

[004 7] [0047] 
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S - 4 ) P k <£>ggf± x 1 k = S-4) 

fl (wk) + f 2 (wk) + The apparatus of Pk obtains distributed 

— +fn (wk)mod x2 random-number value x1k,x2k as 

k = gl (wk) + g 2 (wk) x1k=f1(wk)+f2(wk)+...+fn(wk)mod 

H hgn (w k ) mod qH q,x2k=g1(wk)+g2(wk)+...+gn(wk)mod q. 

TMailx lk, x 2 k£ S-5) 

t#5o It considers it as X=Coo*Coi...Co n modp. 

S-5) X = Coo*C 0 r-Con It also makes similarly secret-key y1j, y2j, and zj 

mod pttSo IHt£K4kMNft Y, to which public key Y and Z and each decoding 

Z&£Xf&fe-%r%<D#JfcirZ>%& person correspond similarly. 
Sty 1 j , y 2 j , z j 

[0 04 8] [0048] 

£H-§-#SHfi* All decoding person apparatus form dispersed 

¥JiB(CcfcoT\ #ifc£;ftfc$Lifc random-number r(elemeni of)Zq with a 

r^Zq?:4fi!cU #ti^Mt'P distributed random-number generation 

j <D^Wfiffi$5$i r j £rl&£H~ procedure, and each decoding person's Pj 

5 (El 5 , S 1 ) 0 X, Y, Z £ apparatus maintains the secret value rj (FIG. 5, 

^M^t Ltc Cramer-Shoup flf S1). 

^jfetct OBff-^ftStLfc^A After receiving cryptogram E=(u1,u2,v,e) of 

mCOBf-^tE = (u 1, u 2, plaintext m enciphered by the Cramer-Shoup 

v, e) £^{flr/M& (S2K cryptographic method which used X,Y,Z as 

#£##P j 0>Sfif±* c=H public key, the apparatus of (S2) and each 

(u 1 , u 2) 3o<£tfV j = (u decoding person Pj are c=H (u1, u2) and Vj= 

l x1)fcy1j u 2 x2^cy2j v .1 ) rj mod p ((S3) whjch ^,^,^5 U 1 x1 ^ j u2*^V 1 )*mod 

SrfHTfS (S3) 0 p.). 

[0 04 9] [0049] 

if^TP j O^fifiV j £rb# Then, the apparatus of Pj disperses Vj with a 

I Mil 2 t <D&WQ1feffiBBft%Cfe with a threshold value of 2t verifiable secret 

19 #tfcL, fiSw k dispersion method, and it transmits the secret 

5 jit V j k Sr^Mg-^ff P k value Vjk corresponding to a value wk through a 

(DH&Wfctg^itzMin LX communication channel safe for each decoding 

i£ff ( S 4 ) o r. r V ^5 person's Pk apparatus (S4). 

&tE^tlZW85jfrWLfeiz\*. Pe It can use the method of Pedersen for the 
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d e r s e n©^fe^ffl^5r verifiable secret dispersion method which it 

ktf-VZZo KTtttOfH-C uses here. 

h &o The following is the procedure. 

P - 1 ) ;*:#&^i&:P, Q^fe P-1) There are big prime numbers P and Q. 

9, Q fi P - 1 £#J *> 91 D x * G and h which Q gives a clear-cut solution to 

fcQ> p £i"<5^ gioctTJ^hfi, P-1, and it makes into Q>p are the origin of Gq 

log g h <D$L&fc%\-x*h%> X. o whose value of log g h is unknown. 

fcGo <D7cki~ 6 0 

[0 0 5 0] [0050] 

P-2) P j <7>^gf2Z Q ±<D P-2) 

"o^^JS^fj (X) =Vj+ The apparatus of Pj 

ai j X+-+a fl X t *5j;0g j Two polynomial fj (X)=Vj +aijX+...+a^X' and, gj 

(X) = b 0j + bijX + -+b| (XJ^oj+biiX+.-.+b^X 1 onZo 

X* (tctcL a oj = V j b-i~&) (However, it is referred to as a 0 j=Vj) 

£V j (D^ftfr^^Xy^fJ* Except for the part of Vj, it chooses this at 

U #Pk (D^M^ f j random, it transmits fj (wk) and gj (wk), i.e., Vjk, 

(w k) ^il^g j (wk),o to each apparatus of Pk through a safe 

* 0 V j k £r£:£&il{f communication channel. 

crafts. p-3) 

P - 3 ) P j <D$£Wit i = 1 , The apparatus of Pj should receive i= 1 .... t. 

- , t \Z M b X C „ = g aij h bii It calculates Cjj=g aij h Wj mod p, it transmits to all 

mod p £rff# ^^S!iil{tS& other decoding person apparatus through a 

£31 CXi&(D-&X<DjM.^r%3&W. broadcast type communication channel. 

[00 5 1] [0051] 

P-4) CySrSff LfcP k(DB The apparatus of Pk which received P-4 Cy 

fifiw k i = w k mod q L verifies that g^^s^^Ci, 1 * 1 ...C^mod 

X gfiWh^^Co/"* 0 • Cij** 1 p is formed as w^wk'mod q, that is, verifies 

-Ctj^mod ptiitfWtL'O^t Vjk(S5). 

o£9Vj kSrtft P-5) 

HE^"S ( S 5 ) 0 When not formed, the apparatus of Pk transmits 

P-5) $9 iLfc&vv||-£\ p a "rejection" to all other decoding person 

ktf^iEti r^-gs&j $r£fci£?S apparatus through a broadcast type 

iiff S&^ril DTfdl<£>±-t <E>^-5§- communication channel. 
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[0 0 5 2] [0052] 

p - 6 ) r^^j t + 1 p-6) 

®$X±X*foZ>^ik< P j fl^IE When the notification of a "rejection" is t+1 or 

#£B&£tlT#|&£ft (S more pieces, it is regarded as an irregular 

6)M<0±U^BWiP j <D person, and is eliminated and Pj is (S6), other 

^Wfc&mte&it Lfd^TOff all decoding person apparatus 

#£J^lSrt~3o P-4, 5, 6 The apparatus of Pj aborts all the information 

(DXr- yfliftWt^iU V j k transmitted before. 

(DtikfiEb, >F l£%<D$t&%:ft 5 The step of P-s 4, 5, and 6 is the procedure of 

¥JiI"Cfo 9 s ^TGDtg-^f$*g performing verification of the distributed secret 

j& s ir— 9 £ri£ff L^lfro fcl^ value Vjk, and an irregular person's rejection. 

£ t &T^cM&y h &<&^r$~ After all decoding person apparatus finish 

~C?to X h <t V\, transmitting data, it is sufficient to carry out by 

releasing a rejection list collectively. 

[0 0 5 3] [0053] 

^tif^#^tg;^±!E^fllIfc J: o After all decoding person apparatus disperse Vj 

TV j £r5MRLfc^ #tg7Mf with the above-mentioned procedure, each 

P j <£>S*tif±x V j 33 i Z$ b 0 j decoding person's Pj apparatus, vj and b 0 j 

^Ifc^Wfeit ^^:MCXM(D^ It transmits to all other decoding person 

X (Dfe^^^Wi^&in (S apparatus through a broadcast type 

7 ) 0 wtbSrSft Lfc#^g-^ P communication channel (S7). 

j <£>^ Si f± > C 0 j = g 1 vj h The apparatus of each decoding person Pj who 

mod pi^!)io:t £r$i|g received this checks that C 0 j=g1 Vj h bq mod p is 

LTV j ^^SE-f 5 ( S 8 ) Q $ formed, and verifies Vj (S8). 

9£fcftvv|§^^ lufSI^^, When not formed, it notifies a "rejection" to 

T^F^^j £ftil<D^iX^Mf^iL other all decoding person apparatus like the 

^il£n L, ^IE^f £r#$H~>5 ( S above, it eliminates an irregular person (S9). 
9) 0 



[00 54] [0054] 

!EL\,^tmW£titc±X<DVk If correct, it will choose 2t+1 piece from all 

frh&Mte2 t + im&m$lL checked Vk(s) as desired (S10), and it 

(S 1 0)^%t%$\z.%f-f examines whether the value V decompressed 
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&fc^M^£ UtlTcLfcffiVi* with the secret decompression procedure with 

Hc^LV^^^SrH^S (S respect to an index part is equal to 1 (S11). 

1 DoJtiSclfP(^"f %>%&&&jc The secret decompression procedures with 

^fldfizSCtk Cramer.et.al: * A respect to an index part are documents, 

seure and Optimally Efficient Cramer, et.al: "A seure and Optimally Efficient 

Multi-Authority Election Multi-Authority Election Scheme", Advances in 

Scheme " , Advances in Cryptology-Eurocrypt'97, LNCS 1233 

Cryptology-Eurocrypt'97 , Springer-Verlag, pp. 103-1 18, and 1997 It is 

LNCS 1233 Springer-Verlag, detailed. 

pp. 103-1 18, 1997 fcf£Ll\ Hi The decompression procedure with respect to 

~Rc, illR L tc 2 t + 1 ffi<D V the index part at the time of making into (alpha) 

k <D4 yfy 9 x k (D%fe%: a an ensemble of the index k of 2t+1 piece Vk 

t L/c#^<7)^|fc^fc^^<5tif chosen as below is shown. 

7t;¥JiH£:^"t*o ^ffc^^^Hif The secret value of an index part presupposes 

ttPede r s en O^mE^TtM that it is the secret value acquired with the 

^^W^X^bivtcU^UX verifiable secret dispersion method of 

& 5 t ir <5 o Pedersen . 

[0 0 5 5] [0055] 

R-l) £1\ Lag rang R-1) IT IS LAGRANGE INTERPOLATION 

e W$&M£ COEFFICIENT FIRST. 



[0 0 5 6] [0056] 

l$tl] [EQUATION 1] 



t LX irH§^ 5 o It calculates as these. 

R-2) R-2)NEXT, 

[0 0 5 7] [0057] 
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[W2\ [EQUATION 2] 

V = n jea VjUa cod p 



£tf£1-5 0 VfrlX*t£\^t£h It calculates these. 

tfi02t + lflOKI*^t)* If V is not 1, it will repeat a secret 

XW^k^W&^&jt^M^^^ decompression procedure similarly in other 

t(S12), ±X<DUfr&t>1t 2t+1 piece combination (S12). 

(coV^TV^-ftb^^TufiS^ 1 About all combination, if the decompression 

U < f£ V f±\ ^cM££riI value is not all equal to 1 , it will notify a rejection 

£fl L Tff ±"t" 5 0 and will stop. 

[0 0 5 8] [0058] 

— o-C<> 1 fcft5*&*^;b*#& if there is combination set to 1 at least one, it 

foitcfthti^ ©BtTpvJt will consider this cryptogram as a pass. 

1&k1-Z> 0 ^g-^THfP j <£>gli As shown in FIG. 4, each decoding person's Pj 

f±l24 i£*F"t"«fc 5 t^D j = u 1 apparatus calculates Dj=u1 zj mod p, and 

2j mod p£IH^L (S lh transmits it to all other decoding person 

S!iifSK^J:9ffi©^T©W apparatus according to (S1) and a broadcast 

#^it^£{f i~5 ( S 2 ) 0 D j type communication channel (S2). 



Id 



Ltc^^M-^^^MUD Each decoding person apparatus which 

1, — , DnOul £rJiE<tl^<5 received Dj 

mWcM^B CHffO^- K By checking that the discrete logarithm which 

!7— K"C£>£ ^ t (S uses u1 of D1...,Dn as a bottom is the coding 

4), =* — K7— K-efcftfcf, iff word of a BCH code, if it is (S4) and the coding 

^©^$t^f£*j-f 5^^tc¥ word, it will decompress D=u1 z mod p with the 

JiRtciJ: 0 D = u 1 z mod p secret decompression procedure with respect 

75U (S5k m=e/D mod to the above-mentioned index part, it will 

P &rfHfLT^ i/m&lM calculate (S5) and m=e/D modp, and will 

( S 6 ) 0 ^fy^S4t* decode Message m (S6). 

3— K!7— KT*&tt*U2\ ^ If it is not the coding word in step S4, it will 

i{£<fc9> f+^£>IEL££r prove the rightness of calculation by zero 

BEWC#*l*t>©tt knowledge proof. 
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?flE(DD i t LT^Si^S (S It aborts the thing which cannot be proved as 

7) 0 irregular Di (S7). 

mMffl3] [EXAMPLE 3] 

WTC> Below, it demonstrates the 3rd Example of this 

m (c o v > X B W i~ 3 o invention. 

[0 0 5 91 [0059] 

&*<Dfe^%^lt?$\^fe, That a safe communication channel shall be 

t£Min$&fch£h(Db L^fCx between each decoding person apparatus, and 

Qfe^^^Wife., ttL<D^kM.<DlM. each decoding person apparatus receives the 

■%^t3£\SL&\»l— (Dfy^ir^it't content with all the members' same other 

5 ^ i^t^liE^tLS^^^iift decoding person apparatus shall utilize the 

S&$rf»Jffl*Tr# 5 i><Dk-tZ>o J< broadcast type communication channel 

^fti^ikp, qfcfoV, qfip guaranteed. 

- 1 ^W^^OS h <Dh1rZ> 0 G There are big prime numbers p and q. 

q g 1, g 2 iry^y J\{z Q shall give a clear-cut solution to p-1 . 

iliRi^^o nA^Sft It chooses the origin g1 and g2 of Gq at 

^Pl-Pn^U MftP random. 

j (c^fL, Wl^CDteffiiiHw j £: First, it sets n persons 1 decoding person to 

WlVM&o 3 t < n &Witc-$~ L P1-Pn, and assigns the inherent open value wj 

# VMK t &7j£#>Z> 0 to each decoding person Pj. 

It defines threshold-value t which fills 3 t<n. 

[00 6 0] [0060] 

Sf, Peder senCiS First, the secret dispersion method by Pedersen 

W%ftWc%fe&7F-to £1\ g, is shown. 

h & log g h&^zjftXfoZ) £ o First, it carries out g and h the origin of Gq 

t£ G q ©tu t ~t~<5 0 3&$Hit a 0 , whose log g h is unknown, 

b 0 ^^fH^^IB^ P (D^WL The apparatus of the portioner P who disperses 

f±, Z q_b<D t ^(D~oo#Jl the secret values aO and bO are the t-th two 

i£f (X) =aO + alX + - polynomial f(X)=aO+a1X+...+atX t on Zq, 

+ a t X 1 , g (X) = b 0 + b except for aO, it chooses g(X)=bO+b1X+...+btX t 

1 X H hb t X l Sra 0Sr8^ at random, and sends f (wj) and g (wj) to the 

1/^7 -MciiiRLx &%kin apparatus of each receiving party Pj through a 

j (D^M^ f (w j ), g (w safe communication channel. 
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j) &$±teMti!&&MCX& 

ft-rs. 

[006 1] [0061] 

o#*M, ^-WM<D=i 5: y MSE Next, it calculates the commitment value Ei of 

i$ri=0, — , t {cMLXE each coefficient like Ei=g ai h bi mod p to i= 0..., t, 

i = g a, h b, mod p<D X 5 f-ft and opens to the public through a broadcast 

^^Miifi!8§£r:fr L"t£r type communication channel. 

M1~&o ^tib&^isLtc&P Each apparatus of Pj which received these 

j (Dmmz, u j i = w j 'mod verifies that g f(wj) h 9(v *=E0 uj0 E1 uj1 ...Et ujt mod pis 

q t t T g f(wj) h g(wD = E q ujO formed as u j j=vvj i m£)d q 

El*-Et* mod p tfffc <0 It calls the value of this E0 uj0 E1 uj1 ...Et ujt mod p 

ior £ ^r^H^^o the commitment with respect to the distributed 

u i° E 1 uj1 - E t ujt mod p (Dm secret value of Pj. 

&P j <DjfrW$>&UKM'tZ>^ If the commitment value of each coefficient is 

5 v h / y h t &&M<D exhibited, anyone can also calculate the 

=> ^ -y ^'f^75^^$i^•tv^i^ commitment with respect to which distributed 

fcf, fftt*t>, E<DP i<DftWffi secret value of Pj. 

tr#1-5 3. 

[0 0 6 2] [0062] 

TTii, n 0>S96#fb&ife$: Below, it is this secret dispersion method. 

Ped (aO, bO) [g, h] Ped (a0, bO) [g, h] -> (aOj, bOj) (E0..., Et) 

-» (aOj, b 0 j ) (E 0 , It writes like these. 

— , E t ) (aO, bO) are confidential informations dispersed. 

<D X o {£iiK 0 (a 0, bO) li (aOj, bOj) are distributed secret values which it 

ftWt. $ 9 x ( a receives through a communication channel with 

0 j , b 0 j ) P j (D^M. each safe apparatus of Pj. 

asgc^fcilflrBSSr^ LX&fci" It is equal to f (wj) and g (wj) respectively. 

<5#tfc®5^fi'C s &> l 9, ^ti^ti (EO..., Et) are commitment values of each 

f (wj), g (w j ) coefficient exhibited through a broadcast type 

(EO, Et) fi$:i£?gjil communication channel. 

m&&mzx'£mzinz>. &m [g,h] 

3 ^ -y h ivUXfo 5 0 [ g , h ] express the bottom which it uses when making 

t£=i 5 v h £rffr&-f6^/BV> a commitment. 
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•5Jl£$r^i"o ±fElEftMI3 L"C\ It is related with the above-mentioned account 

method. 

B£ < ^Jl^O^i^fi yls^MZ. Specifically, as long as there is no notice, it shall 

h <F> t i~ <5 0 choose the coefficient of the polynomial except 

an absolute term at random. 

[00 6 3] [0063] 

w<£> X o K L"t#t&:£tifc^fr?£ Thus, from the dispersed secret value, when a 

^^^MfUKX-^XTt polynomial interpolation recovers the original 

©^B&SrEiart-SSKHcii, £ secret, the holder of each distributed secret 

■fs #^»0BHIffl[©fiy##t4» value exhibits the value first. 

ZcomZ&M-tZo Ztitc It checks that g a0i h"* =EO U)0 E1 uj1 ...Et u *modp is 

( a 0 j , b 0 j ) i&zft t t\ formed to the exhibited value (aOj, bOj). 

g aoj h boj = E 0 ujo E t uji . . . E Let the ensemble which the index j makes be 

t ujt mod p M <9 4or t £fift (alpha) about t+1 (aOj as desired, bOj) of which 

Mir?) 0 r (D3Up>$L %£o j; 5 this equation consists. 

fcfeM?) t + l fi<£> ( a 0 j , Lagrange interpolation coefficient 

b 0 j ) icov^T, ^(D^yf 

•5o Lagrange MPeSJ^it 



[00 64] [0064] 

[$C3] [EQUATION 3] 

=nne 0 . nui/CHO nod q 

When it carries out, 

[0 0 6 5] [0065] 

[$C4] [EQUATION 4] 
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S j<=a a aO j nod q = a 0 



kteVs a 0 SrEHgi-S r. t & A these next door, aO is recoverable. 

6 0 b 0 fclRlfilfC UTIh]^ BO is recoverable similarly. 

~C#3o ±lE®W6#tfc#i5fcte, Even if it uses only one bottom, it can 

J&£— off ft ffiv^-c [p1# completely perform the above-mentioned secret 

^fj-f'S r £ 1? # 5 0 -t © dispersion method similarly, 

cfc 5 ftSHWi* P e d ( a O ) In such a case 

[g] ^ (aO j) (E 0 , Ped(aO) [g] It writes it as -> (aOj) (EO..., Et). 

e t) tm< 0 



[0 0 6 6] [0066] 

r <D%&$gftWcjjfe£%\lRi UT> The random number dispersed in cooperation 

mWcAfcffliM LXftWt&titc^L by two or more persons is generable using this 

$c£r£fiJH~5 wt^T*t5o £ secret dispersion method. 

i\ P i ©i£*fif3\ SJ&a i, First, the apparatus of Pi chooses random 

b i £Z q ck ^iitRl^ numbers ai and bi from Zq, this 

Ped (ai, bi) [g, h] Ped(ai,bi)[g,h]->(aij,bij)(EiO...,Eit) 

-> (a i j , b i j ) (E i 0 — , It disperses like these. 

E i t ) All the members of P1-Pn perform this. 

5 ^#tH~3 0 Pl^Pn Then, the apparatus of Pj receives (a1j, b1j)..., 

<£>£H^ wtL$r^tri"2)o i~<5 (anj, bnj) from a safe communication channel, it 

P j <£>^gfi. (a 1 j , b receives (E10..., E1t)..., (EnO..., Ent) from a 

1 j ), — , (anj, bnj) broadcast type communication channel. 

£r3^ftaH&BW»5>3£fB U (E At this time, it sets the distributed secret value 

10, — , Elt), (En (x1j, x2j) of Pj to x1j=a1j+...+anj 

0, Ent) ££fci£Mfi modq,x2j=b1j+...+bnj modq. 

!&#^!£{lti~<5o P The random-number value x1 recovered from 

j W^ffcMfit ( x 1 j , x 2 this distributed secret value, 

j ) £\ x 1 j = a 1 j H h 

a n j mod q , x 2 j = b 1 j 
H h b n j modq<ti~<5 0 ^ 

Wx lii. 
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[0 0 6 7] 



[0067] 



[EQUATION 5] 



x 1= 2 Jea Ai,. tf x 1 j=a 1 +-+an nod q 



-CfcfK HHgriSHfT^ftS*"? They are these. 

fi^ ftfc ^^(DiUtffti <bti% w The value is known by nobody until recovery is 

£ttfcv\, £fc, ^©gMJr performed. 

tit££^£-f<5#^Sz£tf>k#;© Moreover, the commitment value EXk of the 

&M<D=i 5 y hffiE X k E k-th coefficient of the polynomial which makes 

Xk = Elk • E 2 k-En k this secret random-number value a constant 

mod p t E X 0 = constitutes EXk=E1 k-E2 k...Enkmod p. 

g^h^mod pX*fo% kiz& Particularly, it is cautious of it being 

Mo z.(D^m^. #f!cSL$c« EX0=g x V 2 mod p. 

h i0» It calls this method distributed random-number 

Rand ([a ], [b]) [g, h] generation, rand([a], [b]) [g, h] -> (aj, bj) (EO..., 

^(aj, b j ) (EO, -, E Et) 

t ) It writes. 

t^< 0 ([a], [b]) $L$L ([a], [b]) are random-number values formed. 

£tiZ>3Lmmx*h<9, [ ]ti^r [ ] 

<DiUti>¥<D$tW%rfcMl-Xhfc means that the value is unknown to every 

Sr. k&Mtii-f&o lg> accountant, 

h], (a j, b j ) 3o£ Xf (E The implication of [g,h],(aj,bj) and (E0...,Et) is 

0, E t) (DMMi'i. Sux£ the same as that of the account method of 
(D^^^Wn<Dti^t^i^Xh above-mentioned secret dispersion. 

ho 

[006 8] [0068] 

^kfe^-^'^Wi, L#vMittco All decoding person apparatus are the 

^ffcSJ&^j&^JillSr distributed random-number generation 

Rand ([xl], [x2])[g procedures of threshold-value t. 

1, g 2] -» (x 1 j , x 2 j ) Rand([x1], [x2]) [g1, g2] -> (x1j, x2j) (EXO..., 
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(EXO, EX t) EXt) 

Rand ([y 1], [y2]) [g Rand([y1], [y2]) [g1, g2] -> (y1j, y2j) (EYO..., 

1, g 2] -» (y 1 j , y 2 j ) EYt) 

(EYO, EYt) Rand([z1])[g1]->(z1j)(EZO..., EZt) 
Rand ([z l])[g 1 ] — ► ( z 
1 j ) (EZ 0, - •, EZt) 



9 £ SHJUfr ffi-^&P It performs 3 times like these, the decoding 

j i'iM^W ( x 1 j , x 2 j , person Pj acquires a secret value (x1 j, x2 j, y1 

y 1 j , y 2 j , z j ) &r#, j, y2 j, zj), let this be the decoding person's Pj 

r *i £ P j <D®&mt1r secret key. 

So X j = g l x1i g 2 Moreover, let Xj=g1 x1j g2 x2j mod p, Yj=g1 y1j g2 y2j 

^mod p,Yj=gl y1j g2 y?i mod p, and Zj=g1 2j mod p be the decoding 

mod p , Zj=gl zj mod p & person's Pj public key (Xj, Yj, Zj). 

5 (X j , Y j , Z j ) Furthermore, let X=EX0=g1 x1 g2 x2 modp, 

#P j (D&mmt-tZ* £ iblc, Y=EY0=g1 y1 g2 y2 mod p, and Z=EZ0=g1 2 mod p 

X = EX0 = gl x1 g2 ^mod be the public key which it uses for an encryption 

p, Y = EY0 = gl y1 g2 procedure. 

^mod p, Z = EZO = gl z (element of)(x1, x2, y1, y2, z) Zq 5 is a random 

mod p $:B0 ^-'ft;#III(Cffi V^S number decompressed by a secret 

£"t*5o - - ( x 1 , decompression procedure from t+1 set of secret 

x2, yl, y2, z) £Zq 5 values (x1 j, x2 j, y1 j, y2 j, zj) as desired here. 

fiffit<£> t 4- 1 low ( x 
lj, x2 j, ylj, y2j, 
z j ) frh. 896«7c#lg{cJ: 



[006 9] [0069] 

^^-^Mf^fSfi, ^tfcSLifc^Elt All decoding person apparatus perform 

#l[|Rand ([r], [s])[g distributed random-number generation 

1, g 2] -» ( r j , s j) (R procedure Rand ([r], [s]) [g1, g2]-> (rj, sj) (RO..., 

0, Rt) £r^fxl^ ftWt Rt), it forms dispersed random-number 

£tWcSLifcr e z q £r£j$;L, r(element of)Zq, each decoding person's Pj 

^H^-^P j <D*£Wi3ffi&$i r apparatus maintains the secret values rj and sj 

j, s j £{&Erf5 (®6, S (FIG.6.S1). 

1 ) 0 ::t'RH = R0 = g 1 It makes R into R=R0=g1 r g2 s modp here. 



5/16/2005 



70/96 Copyright (C) 2005 The Thomson Corporation. 



r g 2 s mod pk-fZ> 0 



[00 7 0] [0070] 

^M^-^^MH, ftWtM Next, all decoding person apparatus obtain 

£¥&fc:J:oT|K#1ttxl secret value x1j\ x2j\ y1j\ and y2j' by 

j ' > x 2 j ' , y 1 j' , y distributed multiplication means (S2). 

2 j ' £r#5 (S 2) 0 Here, secret value x1j' is a value obtained by 

^#H£x 1 j ' fi, SLiScr htf& dispersing the product of a random number r 

^Hx 1 WffiS: L#lMtt t <D|ft and a secret key x1 with the secret dispersion 

*4MRifetc«fc 9^*bT#fe*t method of threshold-value t. 

<5ffi"C$> 9 > ttf © t + 1 A© From x1j' which t+1 person's decoding persons 

^tM^^o xl j ; r as desired have, it can decode rx1 (mod q). 

x 1 (mod q) £r^-^H~<5 £ t It can decompress rx2 (mod q), ry1 (mod q), 

^ pltET'fo 5 o Suffix 2 j ' , and ry2 (mod q) from the vafues of t+1 piece 

y 1 j ' , y 2 j ' tcov^Tfc respectively as desired simifarly about secret 

tMtifcM.<D t + 1 value x2j\y1j', and y2j f . 

ft©ffi^C>^ r x 2 (mod q), About such distributed multiplication means, it 

r y 1 (mod q ) , r y 2 (mod performs as follows. 

q) sr^Tc-rsrttfs-etSo 

[00 7 1] [0071] 

tg-SjMfP j £>S£{!{i x The decoding person's Pj apparatus, ped(x1j, 

P e d ( x 1 j , x 2 j ) [ g 1 , x2j) [g1, g2] -> (x1ji, x2ji) (EXjO..., EXjt) 

g2]-> (xl j i, x2 j i) It performs these. 

(EXjO, EXj t) Each apparatus of Pj calculates Rj=g1 d g2 sj mod 

zmn-fZo &p j (ommits p. 

R j = g 1 d g 2 sj mod p £rfh Since this value Rj may be calculated like 

5 0 ^(DiUR j u j i Rj=R0 uj0 R1 uj1 ...Rt ujt mod p as uji^mod q, it 

^wj'mod qiLTR j =R cautions it about the ability of anyone to 

0 uj0 R 1 uj1 - R t ujt mod p <D calculate. 

±5fctf#LTfc&V>©-e % ft 

[0 0 7 2] [0072] 
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Next, the polynomial used for dispersing x1j and 

x2j by Ped (x1j, x2j) is used for the apparatus of 

Pj as it is, and it is Ped(x1 j, s1 j) [Rj, g2] -> (x1ji, 

s1ji) (ERX 1j0..., ERXIjt). 

Ped(x2j, s2j) [Rj, g2] -> (x1ji, s2ji) (ERX 2j0..., 

ERX2jt) 

It performs these. 

However, s1j and s2j also choose at random the 
polynomial which chooses at random and 
makes these an absolute term. 



jfcfC, P j (D^gfi, P e d (x 
lj, x2 j) txl j, x2 

j %ftm-rz<Dizm^tc&iK& 

£^££fl§^-t, P e d (x 
1 j , s 1 j ) [R j , g 2] — 

(xlj i, slj i) (ERX 
1 j 0, ERX 1 j t) 
Ped(x2j, s 2 j ) [R j , 
g 2] -» (x 1 j i , s 2 j i ) 

(ERX 2 j 0, — , ERX2 
j t) 

£Htrf£o fcfcU slj, 

s 2 j r±9^^Aicarf,*fc, 

[00 7 3] [0073] 

<H£U\ P j GO^fifi To the last, it is the apparatus of Pj. 

Ped (xlj - rj, xlj • Ped(x1 j-rj. x1 j-sj+s 1j) [g1, g2] -> (rxlji, rslji) 

s j + s 1 j ) [g 1 , g2]^ (ERX 1j0..., ERXIjt) 

(rxlj i, rslj i)(E Ped(x2 j-rj, x2 j-sj+s 2j) [g1, g2] -> (rx2ji, rs2ji) 

RX1 j 0, • -, ERX1 j t) (ERX2jO..., ERX2jt) 

Ped(x2jTj,x2j - It carries out. 

8 j + 8 2 j ) [g 1, g 2] -> 
(r x 2 j i , rs2j i)(E 
R X 2 j 0, -, ERX 2 j t) 



[0 0 7 4] 

±lE#Jlfi& P 1 ~ P n <D&^g 

&m?f-tz>o p i <DBm*. s 
m Ltc^mmmmm^ ( r x 

1 1 i , r x 1 n i ) frb^ 
L a g r a n g eWftffi$k% 



[0074] 

Each apparatus of P1-Pn performs the 
above-mentioned procedure. 
The apparatus of Pi is the ensemble (rx 11L., 
rxlni) of a distributed secret value which 
received to a Lagrange interpolation coefficient. 



[0 0 7 51 



[0075] 
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[Sfc 6] 



[EQUATION 6] 



xl j' = E )E(l ii j , (l rxl j 1 mod q 

As (Iambda)j1 (alpha)=llkD(alpha), k not equal to jj/(j-k), 

&H-3M*3 0 iELV^xl j' (7) It calculates these. 

>"7 f -7 ^ ^ ©Id?: j3 i: L> Let an ensemble of the index of correct x1j' be 
I 0 | > = t + l<Dk%, (beta), | At the time of (beta)|>=t+1 

[00 76] [0076] 

[$C7] [EQUATION 7] 

EjejAj.* x 1 j' =S Je * Uj./> Si ea Ai. a rxlij) 
= 2iea*l,« tSje/fAj.,9 rxl i j I 
= 2 iea A j >a r i • x 1 i = r • x I 



kl£*). fl^lr • x 1 £0 

ttt5wi#-e#o©t? t xl 

j ' i5 r . x i©t fc<D&Wt® 

«ftTJ&5-i:»5, x 1 
j ' x 2 j' fcfl-* 

1-5. 5£fc, «WMty l j' , 
y 2 j ' (cov>r^l^#{c^f5: 

[0 0 7 7] 
Cramer-Shoup Bf#*-jSfe{c:«t •? 



A these next door, multiplication result r-x1 is 
recoverable, therefore, it turns out that x1j' is 
the t-th distributed secret value of r-x1. 
It calculates x2j' as well as x1j'. 
Furthermore, it performs and calculates a 
distributed multiplication procedure similarly 
about secret value y1j' and y2j'. 

[0077] 

After receiving cryptogram E=(u1,u2,v,e) with 
respect to plaintext m enciphered by the 
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ttXE= (ul, u2, v, e) Cramer-Shoup cryptographic method, the 

£gfs Ltc& (S3), apparatus of (S3) and each decoding person Pj 

P i ©Slfi, c=H (ul, calculates c=H(u1,u2) and 

u 2) *3«fctfV j =u l x1 ' +cyV Vj=u1 x1f+cyir u2 x2/+cy2 V rj modp. 

u 2 x2/+cy2j ' v 41 mod p £tr& L (S4), it transmits Vj to all other decoding person 

(S 4h^i£Miiffi££riIDT apparatus through a broadcast type 

$L<D^X ©Itfil^V j £ communication channel. 

mm-fZ (S5) 0 &{C, (S5). 

^^fSfi, (V 1 , V n ) ff) Next, each decoding person apparatus checks 

MS5^BCH^©3 - that the index part of (V1..., Vn) is the coding 

- K"C*>-5 - i £flfc8B1-<5 ( S word of a BCH code. 

6) 0 a— K17— KDBB^JKfi, (S6). 

Xffl. F.J. MacWilliams : " The Coding word check procedure, documents 

Thory of Error Correcting F.J. MACWILLIAMS : 'THE THORY OF 

Codes " , North-Holland ERROR CORRECTING CODES", 

Mathematical Library, NORTH-HOLLAND MATHEMATICAL 

pp.201 -202 * tc f± „ LIBRARY, PP.201-202 

M.Ben-Or.S.Goldwasser, Or 

A.Wigerson: " Completeness M.Ben-Or.S.Goldwasser, a.Wigerson: 

Theorems for ""< Completeness Theorems for 

Non-Cryptographic Non-Cryptographic Fault-Tolerant Distributed 

Fault-Tolerant Distributed Comput 

Computation " , 20 th ACM It is detailed to ation", 20 * ACM Symposium on 

Symposium on Theory of Theory of Computing^', pp. 1-10, and 1988. 

Computing, pp.1-10, 1988 (Cf£ The coding word check procedure is shown 

LV\> JsTFKa— K!7— Kfflffl below. 

¥)ii§r^i~ c , It considers it as n root of 1 in *w!=1 £• mod q, it 

• w 1 £r mod q 7?<D 1 (O n considers it as (xi)ij=w i(i " 1) modq. 
ift^U I i j =w m) mod Alljof*j=1...,2t 

q t-tz> 0 

• j = 1, -, 2 t^tOj 



[0 0 7 81 [0078] 
[$C8] [EQUATION 8] 
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V i f n V2«J--Vn* ,J nod P = l 



JlRtCl i «9 . (VI, Vn)© 

w &ie l < * v * r k tm m 
Litm&. &m^%p j (omm 

v^mod pOft&mRX'hZ 
r <t£x 1 j ' , x 2 j ' , y 
1 J ' , y 2 j ' , r j lc§g-T 

5fflf«sraie>i-it*<, mi® 
mum k i o xm^m^mn 

KUW-tZ (S7) 0 



It checks becoming these. 
When it becomes clear with the 
above-mentioned procedure that the index part 
of (V1...,Vn) is not correct, it is each decoding 
person's Pj apparatus, without it leaks the 
information concerning that Vj is the calculation 
result of u1 x1f+cy1 'u2 x2 ' +cy2 V ri mod p, and ] 
x1j',x2j',y1j\y2j\rj, it proves to another decoding 
person apparatus by zero knowledge proof 
(S7). 



[0 0 7 9] 

p j <Dun-rz>#n®mx 

1' , x 2' , y 1' , y 2' , 
r iZ-MVX^ a , a 1 , a 2 , 
b 1 £fc5£Ufc<tLT 

R= g l r g 2 s mod p 

RXl=ERXlO=R x1 g2 

a1 mod p 

RX 2 =ERX 2 0 =R x2 g 2 
a2 mod p 



[0079] 

It performs this zero knowledge proof as 
follows. 

However, by explanation of the procedure with 
respect to following Pj, since Subscript j is 
attached to all variables, it excludes and 
demonstrates this. 

First, it is to distributed secret value x1' which Pj 
maintains, x2\ y1\ y2', and r considering a, a1, 
a2, and b1 as a certain random number. 
R=g1 r g2 s mod p 
RX1=ERX10=R x1 g2 a1 mod p 
RX2=ERX20=R x2 g2 a2 mod p 



RY 1 =ERY 1 0 
b1 mod p 

RY2=ERY2 0 



R y1 g 2 R Y 1 = ERY 1 0= R y1 g2 b1 mod p 
RY2=ERY20=R y2 g2 b2 mod p 
R y2 g2 It can acquire the values R, RX1, RX2, RY1, 
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mod p and RY2 of the becoming commitment from the 

453?? M> bO-fifR, R commitment value of the coefficient exhibited 
XI, R X 2 , RY1, RY2 with distributed random-number generation 
£\ ^ffcSLifr^J&^l&JocfcTJ^ means and distributed multiplication means to 

anyone. 



[008 01 [0080] 

P j fiSUfcw Ot:Z qi07^ Pj chooses a random number wO from Zq at 

y A(ci§$R L, random, k=g, L=g w0 mod p 

K = g , L = g ^mod p It sends these to another decoding person 

«rte0>tt##$W^3Htt" 5 0 apparatus. 

ftiltf^-i-^iSilfi^ LT Another decoding person apparatus 

Rand ([eO], [e 1]) [K, cooperates. 

L]-»(eOi,eli)(Ee Rand([eO], [e1]) [K, L] -> (eOi, e1i) (EeO..., Eet) 

0, — , Eet) 

£HfT UEeO= K^L^mod It performs these, it sends EeO=K e0 L e1 mod p to 

p &: P j 60^g^^#-^"5 o the apparatus of Pj. 



[0 0 8 1] [0081] 

P j O^fltfiSLicw l ~w 1 8 The apparatus of Pj chooses random-number 

£• Z q i V 7 yfMzmtil U w1-w18 from Zq at random, ti =gi w1 g 2 w2 modp 

Ti = gi** g 2 w2 modp T 2 =gi w3 g 2 w4 modp 

T 2 = gi w3 g 2 w4 mod p T 3 =g w V 6 modp 
T 3 = g^g* 6 modp 



R^h^modp 



T 4 
T 5 
T 6 

T 7 =R w "h w,u modp 



,w2 h w8 
w3 ^ w9 
w4 i wlO. 



<v ; ° modp 
R WJ h™modp 



T 8 = g w11 h^mod p 
T 9 = g w13 h w14 mod p 
T^g" 15 h^mod p 



T 4 =R w1 h w7 modp 
T 5 =R w2 h w8 modp 
T 6 =R w3 h w9 modp 
T 7 =R w4 h w10 modp 

T 8 =g w11 h w12 modp 
T 9 =g w13 h w14 modp 
Tupg^h^modp 
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Tn=g w17 h^mod p T^g^h^modp 

T 12 - u 1 w11+cw15 u 2 w13+cw17 v T 12 =u1 w11+cw15 u2 w13+cw1 V w5 mod p 

_w5 mod p It calculates these, it sends to another decoding 

£rifjSLT, ftil^tf^#i^^^ person apparatus. 

mm- &o 

[0 0 8 21 [0082] 

4&<0&^%&WiftftWtftl95$i$: Another decoding person apparatus exhibits a 

4kHB IteO, el *&W<ik distributed secret value, and it recovers eO and 

P j (DmW^mttirZ> 0 P j <D e1 , it sends to the apparatus of Pj. 

Sill, E e 0=K e0 L e1 mod The apparatus of Pj checks that EeO=K e0 L e1 

p So: t %WM\^. J$ modp is formed, it stops proof, when not 

V±Ltcfo^m&temW£*±'f formed. 

3 0 n th&ffc Slo^r^, P j It is the apparatus of Pj when this is formed. 

Oolite S1=w1+e0 and xlmod q 

Sl=wl + eO'xl mod q S2=w2+e0 and x2mod q 

S2=w2 + eO*x 2 mod q S3=w3+e0 and ylmod q 
S3=w3 + e0*yl mod q 

S4=w4+e0*y2 mod q S4=w4+e0 and y2mod q 

S5=w5 + e0*r mod q S5=w5+e0 and r mod q 

S6=w6 + e0*a mod q S6=w6+e0 and a mod q 

S7=w7 + e0*al mod q S7=w7+e0 and almod q 

S8=w8+eO*a2 mod q S8=w8+e0 and a2mod q 

S 9 = w 9 + e 0 • b 1 mod q S9=w9+e0 and blmod q 

S10 = w10+e 0 • b 2 mod S10=w10+e0 and b2mod q 

q S11=w11+e0 and r-x1mod q 
S 11-= w11 + e 0 • r • x 1 mod 

q 

S12 = w12+e 0 (a • x 1 + S12=w12+e0(a-x1+a1) mod q 

a 1) mod q S13=w13+e0 and r-x2mod q 

S13-w13+e 0 • r • x 2 S14=w14+e0(a-x2+a2) mod q 

mod q S15=w15+e0 and r-y1mod q 
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S14=w14+ e 0 (a • x 2 + 
a 2) mod q 

S 15= w15+ e 0 • r • y 1 
mod q 



S16 = w164- e 0 (a • y 1 + 
b 1 ) mod q 

S17=w17+ e 0 • r • y 2 
mod q 

S18=w184- e 0 (a • y 2 + 
b 2) mod q 

^frgLTS 1~S 1 

w o zm<Dm ^%mw.^%tt-r 
5 0 ttL<Dm-%%mwit. 



S16=w16+e0(a-y1+b1) mod q 

S17=w17+e0 and r-y2mod q 

S18=w18+e0(a-y2+b2) mod q 

It calculates these and sends S1-S18 and wO to 

another decoding person apparatus. 

Other decoding person apparatus, 



L = g *° mod p L=g v "°modp 

gi s1 g 2 s2 =T 1 X e0 modp d^gz^^X^modp 

g 1 33 g 2 s4 = T 2 Y e0 mod p d ^2 ^=72 Y 60 modp 

g 55 h 56 = T 3 R 60 mod p G^h^Ta R°° modp 

R si h s 7=T4 (RxD^mod R^M^RXI^modp 

P R^h^Ts (RX2) o0 mod p 

RS 2 h s8 =Ts ( RX2) eo mo(j R^h^TetRYI^modp 

p R^h 810 =T 7 (RY2)°°mod p 

R s3 h s9 =T 6 (RY 1) ^mod 

P 

RS 4 h sio =T7 ( RY 2) e0 mod 



gS n h s 12 =Ts ( r x 1 ) 
^mod p 

g s13 h s14 =Tg ( RX 2) 

e0 mod p 

g 515 h 316 = T 10 ( R Y 1 ) 
e0 mod p 

g 817 h 818 = T t1 ( R Y 2 ) 



G s11 h^TsfRXI^modp 
G s13 h s14 =T 9 (RX2) e0 modp 
G s15 h s16 =Tio(RY1) e0 modp 
G s17 h s18 =Tii(RY2) e0 modp 
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^mod p 



u 1 S11+cS15 u 2 S134CS17 v -S5 = ^SIHcSIS^SIS+cS^-SS = J nS ^ mo6 p 

T 12 V e0 mod p It verifies that these are formed. 

[ 0 0 8 3 I [0083] 

±^{i, P j ©gf^V, X, Since an above formula is formed only when the 

Y, R, RX1, RX2, RY apparatus of Pj makes 

1 , R Y 2 £IE L < ffr& Ltcm V,X,Y,R,RX1 .RX2.RY1 ,RY2 correctly, when not 

^KfOfyfa <9 io©t\ -of formed at least one, it considers verification as 

fcfife 9 &fc&V^f£-tt&liE£:&: failure (explanation which omitted the subscript 

mt-fZ £«8&L "j" above). 

fclftWf4&±) o iiE01{::$cflfcLfc. It is considered that the apparatus of the 

j ©gflitti&J8i#"Cfc decoding person Pj who failed in proof is a 

5<t.i,&£ii„ ifeJ&^O^&SHi deviation person, another decoding person 

x 1 j' , x2 j' , y 1 j' , apparatus recovers a deviation person's secret 

y 2 j ' , r j &4iL<D&-%r%i$& value x1j\x2j\y1j , ,y2j',rj using a secret value 

H^^JiRSr^V^TIH recovery procedure, it exhibits the correct value 

ffiU iEU^Vj©ffi^lt ofVj. 

So - - "Cco^^iilM^^liifC About a secret value recovery procedure here 

o 1 11 , #1 x. fi\ :£ Aft For example, documents 

A.Herzberg, et.al: " Proactive It is detailed to A.Herzberg, et.al: " Proactive 

secret sharing or How to cope secret sharing on How to cope with perpetual 

with perpetual leakage " , leakage", Advances in 

Advances in Cryptology-CRYPTO'95,LNCS 963, 

Cryptology-CRYPTO'95,LNCS pp.339-352, Springer- Verlag, 1995. 

963, pp.339-352, It includes the exhibited correct value of Vj, it 

Springer-Verlag, 1995 CPL obtains the correct (V1...,Vn). 
V\ Z<D'£ffl£tltclE^V j 
(DmZ*afrX, 1^ (VI, 
Vn) £#5o 

[0084] [0084] 

(V 1 , — , Vn) <D^W.W After the index part of (V1..., Vn) checks the 

jELI^ k&l$MLtc& s flffe correct thing, it decompresses a value V with 
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pP£#i~5^$£^7c^MIfcci: the secret decompression procedure with 

•9, flltVSr^7cfSo respect to an index part. 

fiSfiVrt* i Ic^UV^j&m!?jO»£: It examines whether each decoding person 

18^ 3fL< ftl^*e>rftl#S: apparatus has V equal to 1, if not equal, it will 

LTf?iti~<5 (S8) 0 ^L refuse decoding and will stop. 

^tebtf, m 4 (om^trnm^ (ss). 

^MS-SMfP j <£>^fLf±D j = u If these etc. come to be by carrying out, each 

l zj modp £rfH> LsMc^^HMim decoding person's Pj apparatus will calculate 

9 ffiO^toattSf Dj=u1 2j modp like the case of FIG. 4, it transmits 

^i£ffU D j Sr^fiiLfc^Mg to all other decoding person apparatus 

^^fifi (D 1 , Dn) according to a broadcast type communication 

(c^tLT (VI, Vn) C channel, each decoding person apparatus 

MLXff-ofc(D t IrJI£<Z)^ — K which received Dj performs verification of the 

V— K©tliBE£:fTV\ ^FIE?:^ coding word similar to having carried out by 

mLtcm&fcUmmzmMU. receiving to (D1..., Dn) (V1..., Vn), when 

^4rtToT^5fe#Sr#^L, IE irregularity is detected, it performs zero 

LV^D j (DiU&^!&iM\B}'&^M knowledge proof similarly and specifies a 

^r^V^TtHl^^So deviation person, it recovers the correct value of 

Dj using a secret value recovery procedure. 

[0 0 8 5] [0085] 

ZZV<D^to&Wfit3iSkT<0& It performs zero knowledge proof here as 

5lcHfTl-5 0 P i 0>£Bf±S- follows. 

SdO^rZqct^V^ The apparatus of Pj chooses a random number 

dO from Zq at random, w=g 1 ,Q=g 1 d0 modp 

W=g 1t Q=gi d0 modp It sends these to another decoding person 

£fife©&-^#3£g^i^-t-3 0 apparatus. 

f&^tt^^SBfi. IS^LT Another decoding person apparatus 

R a n d ([ c 2 ], [ c 3 ]) [W, cooperates. 

Q]^(c2i, c3i)(Ec Rand([c2], [c3]) [W, Q] -> (c2i, c3i) (EcO..., Ect) 

0, — , Ect) 

£ H ?T L , EcO-W^Q 03 It performs these, it sends EcO=W c2 Q C3 modp to 

mod p £r P j (D^M^^H't the apparatus of Pj. 

<5 Q 
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[0 0 8 6] [0086] 

P j £>i*iil fiSLifr d 1 , d 2 $r The apparatus of Pj chooses random numbers 

Z qXV y ^^Afcil^ U d1 and d2 from Zq at random, ti 2 =gi d1 modp 

Ti2= gi d1 modp Ti3=u1 d1 modp 

Ti3= u 1 d1 mod p It calculates these, it sends to another decoding 

SrfHSLTx ^(D'&^^l^WL^ person apparatus. 

i£fti"£> 0 <Bl©t8-^#3iEfi{i# Another decoding person apparatus exhibits a 

ffc^^fit^r^lll LX c 2 , c 3 distributed secret value, and it recovers c2 and 

£0% U P j c3, it sends to the apparatus of Pj. 

<5 0 

[00 8 7] [0087] 

P j (DBW^E c 0 =W c2 Q C3 The apparatus of Pj checks that Ecrt^W^Q 03 

mod p fcf& 9 r £ £r#i|g modp is formed, it stops proof, when not 

U f&V ±tct£^m^femn* formed. 

^ ihf5o dtb^^c *9 i^oiHh It is the apparatus of Pj when this is formed. 

P j <£>^fite S0=d1+c2 and zlmod q 

S0 = dl + c2*zl mod q It calculates these and sends SO and dO to 

£: ff^[ LTSO^ocfct^dO $:itiL another decoding person apparatus. 

<D'iM^%^\8:^T£tt~$~Z)o $L<0 Other decoding person apparatus, q=gi d0 modp 

Q = g1 d0 modp 

g 1 s0 = Ti 2 X j 02 mod p d ^T^Xj 02 modp 

ul^TiaDj 62 mod p UI^TuDf 2 modp 

<9 £0 r t &$liE-f6o It verifies that these are formed. 

[0 0 8 8] [0088] 

±^{i. P j O^g^ D j £rIE Since an above formula is formed only when the 

L< { / Ef$LtcW>'nte<DZh$ t V)±L apparatus of Pj makes Dj correctly, when not 

oco~C\ — o~C hf$ V) A^fc&V^ formed at least one, it considers verification as 

m&n&UZfkmt't&o &m failure. 

^#^gfi> lELV^ (Dl, — , From the correct (D1...,Dn), with the secret 

Dn) ^ffclfl$lc#i"<5$5 decompression procedure with respect to an 

^^75¥l'liiCct oTD= u l z index part, each decoding person apparatus 

mod p^^75L, m=e/D decompresses D=u1 z mod p, calculates 
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mod p^rfh^LT^ y± — i? m=e/Dmod p, and decodes Message m. 

m o 

[00 8 91 [0089] 

IH7(c||J|^iJ2(cioJj-2>^W The example of functional composition of the 

'&Wt<D$kMffif&$l%:?Fi~o decoding person apparatus in Example 2 is 

y 2 1 fCfi x 1 j , x 2 j , y shown in FIG. 7. 

1 j, y 2 j , z j ©SS^i^ The secret key of x1j,x2j,y1j,y2j,zj is stored in 

ffiti^tK ^HflLw j , g 1 , memory 21, the open values wj, g1, g2, and p 

g 2 , p , q ft if MStt £ ti, and q etc. are also stored, furthermore, memory 

iLSCfl-gR-^l'ff i~<5ttf 21 is used in order to carry out the temporary 

^bStfa <5tff $B3r— ^FfStt"t" memory of the information which it transmits to 

3 2 l/O^V^tL the exterior, and the information which it 

5„ #ffclSL&4^ffi 2 2 UliPttf receives from the outside. 

#tfc£l 2 3 „ ^tfeSJ^^fiE^ 2 The distributed random-number generation part 

4 , #ifc3&$S;!)D^§£ 2 5 «fc <0 ft 22 is made up of the secret dispersion device 

9. rtbkfcj; 9 x $&?ftx 1 23, a distributed secret verification device 24, 

j, x 2 j , ylj, y 2 j , and a distributed secret adder 25, and 

z j tfSfNc^tK ^fcHJ^r GO secret-key x1j,x2j,y1j,y2j,zj is made by these, 

r j tj^Blc £ tL5 0 /n 5/ and the distributed value rj of a random number 

2 6 {Ci <0 gf§Bf #;£E r is also formed. 

(Cov^T c =H ( u 1 , u 2) The hash function calculation of c=H (u1, u2) is 

(Ds^yi/^MWcffiM-ftftiifa^ performed about the receiving cryptogram E 

£ tz^-^mt^W^ 2 7 (c X 9 V with the hash device 26, moreover, it is Vj= (the 

j= ( ul »Wi u2 ^i v -i) calculation of u1 x1ifcy1j u2 x2ifcy2 V 1 ) , 'mod p is 

rj mod p <DtfcW.frfft>j?L : £> 0 M performed.) by the power calculator 27. 

3 1 f4S^#t$:2& 3 The secret dispersion part 31 is made up of a 

2, ftWtW&tkU?&3 3 <£ 9ft secret dispersion device 32 and a distributed 

*0s SJMIV j ^Vj k(CLt secret verification device 33, and the secret 

VMI2 t (DtikM RrtiM^-tfefe value Vj is dispersed by Vjk with a with a 

lc«fc 9 ^fc^tb^o threshold value of 2t verifiable secret dispersion 

Utc%s 3 4 (;: J; 9 , V k method. 

WJc^ti-SSMSf^TC^HS^Ufi 1 With the index part secret decompression 

£tK BCHn- K 17 — K&IE device 34, the secret decompression procedure 

S35K:J:DD1, — , Dnco with respect to the index part of Vk is 

w 1 &Jg.b1-Z>MWtttWctfBC performed, and it is checked that the discrete 
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H$f-%<D^— KJ7 — KtfeSr logarithm which uses w1 of D1...,Dn as a 

£#«MR$;ii,5o ^Miiff^ bottom with the BCH coding word verification 

if 3 6 % Mc^^iMit^it^ 3 device 35 is the coding word of a BCH code. 

7 . iSS'Jilfl %tit%& 3 8 , Mftl The broadcast type communication receiver 36, 

ii{f^fi£s3 9^ixtt^tLx M the broadcast type communication transmitter 

{CffiJflfSU 1 {dj; 9#|fPi5j(|jjfe 37, the individual communication receiver 38, 

fijf^£-fr £>ti<5 0 and the individual communication transmitter 39 

are provided, furthermore, the control part 41 
lets each part carry out a sequential operation. 

[00 9 0] [0090] 

S3 8 fcMltifeffl 3 fc^jV^faS^g The same number is numbered and shown in 

^#i^fi<Z>#iitifflfJ5JG£\ 0 7i the part which corresponds the functional 

^J&"t~<5lfl#f£[Rl— #7? £rtttt composition of the decoding person apparatus 

T ^-f o #S^£¥S 4 3 (C X used for FIG. 8 at Example 3 with FIG. 7. 

9* SLIfcr i:§ME$ix KD%M& By the distributed multiplication means 43, 

L#Vvftt<7>«#ffc&fC<fci9 value x1j' which dispersed the product of a 

^ffcLfcfifx 1 j' , [p^ftfif random number r and a secret key x1 with the 

x2j' , ylj' , y 2 j' secret dispersion method of threshold-value t, 

flSjfcJ&kil/So ra354 4te£L similar value x2j\ y1j\ and y2j' are called for. 

45, ^ 4 Proof part 44 

6 , • 1)U%$$4 7 i *9 Random-number generation device 45, power 

& 9 ^ V j jjs u 1 x1 ^ +c y 1 ^ u 2 calculator 46, a remainder multiplication and 

x2/ + cy2f v -n mod p ®p|-J|j£x~? adder 47 

fo^t £^&!8fcEWt£«fcoT It is made up of these, it proves that Vj is the 

tt©tt«K:EWi-5 0 calculation result of u 1 rt ^'u2 x ** es « r v Hf modp 

IEK¥Ii[I c f , ©^IiE{4^IIESP4 8 to another decoding person by zero knowledge 

4 9 £tfctfeR»5 proof. 

1 fdct f9 ?rt>tiZ>o Verification in zero knowledge proof procedure 

is performed by the power calculator 49 and 
comparator 51 of the verification part 48. 

[00 9 1] [0091] 

[38W©J»*] [ADVANTAGE OF THE INVENTION] 

Cramer-Shoup RiNHc&tt £U Since the correctness of a cryptogram is 
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Z(D^M verified by verifying whether the value which 

T*f±^^<Dft^/5^<Dj6££q carried out the power of the value of the 

9#&V>&8fcf^<fcoT^#SsL verification type at the time of decoding in a 

fcfflM* 1 £#5)0>5ri*$rt&l5Ei~ Cramer-Shoup code with the random number 

<5 t {C ioTB^-^^t^IE^tt with which everyone of a decoding person 

SrtfciSE LTl^fc&x cannot know that value in this invention is set to 

tciM&'Jkffi LX ^Motfknit 1, even if it exhibits the value which carried out 

^{^&}t5liiX§ii~5tfi#fi— the power, it reveals no information about the 

^. <7>Ml;4>iE L < value in an original verification type, 

f^fifc £ titc Z t Ir^^Pf^lE^ {C By proving to a third person that this value was 

X oT^H#^fE0J1~ SVfC J: made correctly by zero knowledge proof, it can 

9, ^{tLfcBf-^-jt^TnW^liE prove to a third person that the cryptogram 

^^iSfSLftl^ t Sr^ZL^f^ which received does not satisfy the original 

HEPJ-f 3 £ t ^T*# 5 0 verification type. 

[0 0 9 2] [0092] 

$ ?>{C % fL^'C^^j^H^ irl^ Since the value of the verification type before 

0 ft^£#ffcfH>(^ J: 9 » ±tf carrying out a power is not revealed to all the 

^^(OWj^J "Cfr decoding person, either, also when not filling a 

Xs verification type by furthermore performing 

^#^i"5ffi©tfefE5£©^ calculation of carrying out a power by random 

<Jf (D&^r^tlz hMUkir?) w i: numbers, by cooperation of all accountants by 

fi&V^fcft* ^-^(T^iC'fvE distributed calculation, even if there is an 

#^V^fc <t LT 55:S#fifpf irregular person in a decoding person, since an 

<D$\\& t ^fc aggressor can get no profits, he is the decoding 

#>> 3&ftBff^:£?fc*fcMLT method with a safe threshold value to the 

L # V M(f+ # £ alternative cryptogram attack. 

[0 0 9 3] [0093] 

Uic^^^^^B'J^^^^ cfcti Furthermore, according to another viewpoint of 

^> ^^JfilE^fc J; o "tfHS&a this invention, it specifies an irregular person by 

*©EMitt£#tgWtcfEK3 letting each decoding person prove the 

£lc«toT^jE#£4$S£: correctness of a calculation result by zero 

L x lE-S&T^-^W^Srffll^T knowledge proof, since verification of a 

Bt^AW^BESrff Igm- cryptogram is performed only using rightful 
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%<D^nl<clk$\Ltcf\~W'-!kX*%k data, it can perform verification by the 

HE£rtf O^h t**iH£T?foZ>o £ computational complexity proportional to 

tz, #!KW©tt#*£*#BC several n of a decoding person. 

H^^(D 3— K!7— K£ft<5<fc Moreover, it sets each decoding person's 

5lc#Ift(D@f^lI$: inherent open value that each decoding 

aEi#>, £i\ ff-^^JfWSrn— K person's calculation result constitutes the 

V— K"Cfo5 ^ 1 $:*k\t%frtfk coding word of a BCH code, and a receiving 

IE U a — K 17— K'CfcVvBH^ party verifies first that a calculation result is the 

\£<Dfy^ftWffl&&'£firtZ>Z. coding word, when the correct cryptogram is 

tfciot, lEUV^Bf-^^t^rS received by performing zero knowledge proof 

{f Lfc^Hcfi, ii{f fi^rfflix. only when it is not the coding word, it can 

tc*£ ^^^^J^ff^^rfT 0 ^ t perform efficient calculation, with the amount of 

pTf£~C& 5 o communication restrained. 

[0 0 9 4] [0094] 

& JfiE^ fofcWt Furthermore, another decoding person 

.^(C, j&CDm^^tfWjJj LXZ computes the distributed secret key which the 

<7)^FIE^^^#/J^o^tS:^^ irregular decoding person has in cooperation 

§l£r^tt5L x teffl'i'Z) t (ciJ; with the case where an irregular person is 

oT> tctihfc^tD^fiEfj:^^ specified, although it also becomes bored by 

#{cft^oT]ELV^^S:th3¥ opening to the public, even if the irregular 

5 ck 5lcf5r person more than 1/3 exists by enabling it to 

tfCcfcoT. 1 /3J£U:(£>^iE calculate the correct result instead of the 

# jO^ffi UT » -frtb^ 1/2 irregular decoding person, as long as it is under 

$cMX+fo&$RV) iC&^T, 3EL 1/2, it can obtain the correct verification result 

^totiE&MkiS&TWLttMk&ft and a decoding result. 

[0ffi(D^^/£mP^] [BRIEF DESCRIPTION OF THE DRAWINGS] 



1 1 [FIGi 1] 

Z<D^^(D^MM 1 (Di/^y-J* The figure showing the system assembly of 

^J&^r^^HIo Example 1 of this invention. 

[0 2] [FIGi2] 
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Z(D$£QM<DM1fe&\ 1 (-ioltS^ The flowchart showing the verification action 

-^#^fi<^fiEftf£¥fl@£^i" procedure of the decoding person apparatus in 

IMtiMo Example 1 of this invention. 

[0 3 1 [FIG. 3] 

?L<D$&8ft(DigW$i 2 (Di/^TJ* The figure showing the system assembly of 

£r^i~H3o Example 2 of this invention. 



m 4 ] [FIGl 4] 

^<D%W(Dmifc&\2{Zi3iJZ)'& The flowchart showing the decoding action 

## P i <£>^g£>tS-^®jfE¥ll! procedure of the decoding person's Pi 

apparatus in Example 2 of this invention. 

[El 51 [FIG, 5] 

r<7)^PJ(D||^J2(c4o(j-?)% The flowchart showing the verification action 

%r%P i<DBWSD&MWlft^M procedure of the decoding person's Pi 

frTrffrMfoMo apparatus in Example 2 of this invention. 



m 6 ] [FIG 6] 

Z.<DWR<D%M$\3 CijottS^ The flowchart showing the verification action 

■3-#P i ©gttW&SEIbfNMg procedure of the decoding person's Pi 

$r^"t"^HIilo apparatus in Example 3 of this invention. 



m 7 1 [FIG 7] 

%W&\2 icfcttS^S-^f^filtf) The figure showing the functional composition 

#ifrff J&£^"^[i] 0 of the decoding person apparatus in Example 2. 

[0 8 1 [FIG 8] 

^2i#J3 {C^ttS^Ti-ig^iEtf) The figure showing the functional composition 

WiWfcflL £r^~f of the decoding person apparatus in Example 3. 

1 1 [FIG 1] 
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FIG 1 

1 1 Cryptogram maker apparatus 

12 Decoding person apparatus 

1 3 Verification person apparatus 
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51 Cryptogram reception 

52 Random-number r generation 
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55 Decoding calculation 

56 Zero knowledge proof 
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FIG 3 

1 1 Cryptogram maker apparatus 
121 Decoding person P1 apparatus 
12n Decoding person Pn apparatus 

14 Broadcast type communication channel 

15 Safe individual communication channel 
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FIG. 4 

52 Dj transmission 

53 All Dj reception 

54 Are (D1, .... Dn) coding words? 

55 It calculates D (index part interpolation). 

S7 Irregular person rejection by zero knowledge proof 
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FIG. 5 
START 

51 Distributed random-number generation 

52 Cryptogram reception 

53 Vj calculation 

54 It disperses Vj with verifiable secret dispersion method. 



Vij reception 
All Vij received ? 

55 All Vij verification 

56 Irregular person rejection 

57 Vj transmission 

Vj reception 
All Vj received ? 



S8 All Vj verification 
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S10 Vi choice of 2t+1 piece -> (alpha) 
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S12 The following combination Present? 
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Failure 
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FIG. 6 



51 Distributed random-number generation 

52 Distributed multiplication 
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53 Cryptogram reception 

54 Vj calculation 

55 Vj transmission 

All Vj reception 

56 (V1 , Vn) Is it coding word? 

57 Irregular person rejection by zero knowledge proof 

Failure 
Pass 
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Secret dispersion part 
Secret dispersion device 
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Distributed random-number generation part 
Secret dispersion device 
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41 Control part 

35 BCH coding word verification device 

45 Random-number generation device 

46 Power calculator 

47 Remainder multiplication adder 
44 Proof part 

49 Power calculator 

51 Comparator 

48 Verification part 

36 Broadcast type communication receiver 

37 Broadcast type communication transmitter 

38 Individual communication receiver 

39 Individual communication transmitter 
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